SSL Client authentication

2002-06-18 Thread Spiros Vazaloukas 

Hi all,

I am using SSL client authentication on Tomcat 4.0.1 but I am
getting some errors. I've enabled client authentication in
server.xml and I've created all the certificates.
If somebody has some experience in similar configurations
please have a look to the steps I followed and let me know
if you see something wrong:


* Generate tomcat certificate ***
keytool -genkey -alias tomcat -keyalg RSA
keytool -certreq -alias tomcat -file tomcat.csr

* Generate the ca certificate ***
openssl req -new -newkey rsa:512 -nodes - \
out ca.req -keyout ca.key
openssl x509 -trustout -signkey ca.key -days 365 \
-req -in ca.req -out ca.crt

* Sign the tomcat request to generate my certificates *
openssl x509 -CA ca.crt -CAkey ca.key -in tomcat.csr \
-out tomcat.crt -req -CAcreateserial

 Import both into the cacerts ***
keytool -import -file ca.crt -alias RootCert \
-keystore $JAVA_HOME/jre/lib/security/cacerts
keytool -import -file tomcat.crt -alias tomcat  \
-keystore $JAVA_HOME/jre/lib/security/cacerts

*** Generate a client certificate  ***
openssl req -new -newkey rsa:512 -nodes -out \
client.req -keyout client.key
openssl x509 -CA ca.crt -CAkey ca.key -req -in
client.req -out client.crt

But when I run the following test:
openssl s_client -cert client.crt -key client.key \
-connect localhost:8443
I get an error:

CONNECTED(0003)
2504:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:455:

Any idea?

Thanks
Spiros




--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

SSL client authentication

2002-03-13 Thread Greg Bailey 

Is there a way to configure Tomcat to allow/disallow access to a web 
application based on the common name (CN) in an SSL client certificate? 
  I can set "clientAuth=true" in the server.xml, which works fine, and I 
know I can read the certificate once I'm "in" the web application, but 
I'm looking for a way to do this before Tomcat passes the request on to 
the web application.

i.e. I'm looking for something analogous to the mod_ssl directives like 
"SSLRequire", "SSLVerifyDepth", etc.  Any ideas?  Is this type of thing 
supported in Tomcat 3?  4?  Neither?  The SSL docs are great from a 
server perspective but I couldn't find much that's client-related. 
Thanks for any input!

Greg Bailey
[EMAIL PROTECTED]


--
To unsubscribe:   
For additional commands: 
Troubles with the list:

SSL Client Authentication

2002-12-16 Thread Francisco Junqueira 
Hi all,
 
I have a B2B app that needs optionally the client
authentication because not always the client has a certificate, but
unfortunately Tomcat apparently doesn't have this option like apache.
For this reason I still have apache as my web server and Tomcat as
application server, but I'd like to migrate to Tomcat.
 
At the Tomcat config files we have the directive in the
server.xml:
clientAuth="false" (or true)
 
but I'd like to set it to optional.
 
Does anyone knows a workaround for this?
 
Regards,
 
Chico.

SSL client authentication

2003-09-21 Thread Twan Munster 
 
Hello,

I've always used apache http server for client authenticatien with ssl. I've installed 
Tomcat now voor mij jsp's.
But I'm not able to get the ssl client authentication working. The problem is getting 
my existing certificates working in tomcat. Is apache http server it was very easy. I 
configured all the stuff in my httpd.conf. 
I also tried to get tomcat working with keytool. But ther's something I do wrong. I 
alwas get "handshake error".

Can somebody please tell me how to use keytool. I've got the following certificates:

1 server.crt = server certificate
2 ca.crt = chain certificate
3 ca-bundle.crt = lots of certificates for client authentication
4 server.key = i really don't know how to get this one in keytool

Thnx

Twan Munster

SSL Client authentication

2004-01-17 Thread tkassem 
Hi All,
 
Using jboss-3.2.3-tomact 4.1.29, i've got both server and client
authentication fully working. Using the same keystore and with
clientAuth set to false, everything works fine, but when i set
clientAuth to 'true', the server fails to authenticate my client. 
My connector in .../jbossweb-tomcat.sar/META-INF/jboss-service.xml is...


 
 

 
The log file error indicates the handshake failed - 'null cert chain'. 
 
 
any help.

SSL client Authentication problem.

2001-06-12 Thread Arnaud . PIERRE 

hello all,

I am testing Tomcat standalone with client authentication on, and getting
some odd results.  It works fine if client authentication is not turned on
(for both IE and Netscape browsers).  If I turn on client authentication,
Netscape claims that I do not have a personal certificate, and IE asks me to
choose from an empty list of certificates. 
Any ideas on the problem with the certificate request when I use Tomcat
standalone?  Is there some configuration to indicate the type of certificate
the server is requesting?  I am using both client & server certificates
generated by Openssl.
More precisely I have an Server Certificate stored in Keystore (Tomcat side)
and a client
Certificate integrated in my browser. Both certificates are signed by a CA
Authority whose
certificate is on my browser too. 
This problem has been already encoutered by many people
([EMAIL PROTECTED] for example) 
Many thanks,
Arnaud Pierre.

PS: I use tomcat 4.0b5

Tomcat: SSL client authentication

2003-07-25 Thread Dmitry S.Rogulin 
Hello all,

I'm


Best regards,
Dmitry.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat: SSL client authentication

2003-07-25 Thread Dmitry S.Rogulin 
Hello all,

Sorry for the previous e-mail. %)

This theme was discussed about month ago. I tried to use what I've
found but I'm still having a problem...

I'm trying to do SSL client authentication with Tomcat 4.1.18 (clientAuth="true").

1. I've generated a client certificate using keytool:
  keytool -genkey -alias tomcat-cl -keyalg RSA -keystore client.keystore

2. Then I created Certificate Signing Request:
  keytool -certreq -keyalg RSA -alias tomcat-cl -file certreq.csr -keystore 
client.keystore

3. I sent it to CA and got a signed certificate and CA Certificate.
4. I imported them to the client keystore:
  keytool -import -alias root -keystore client.keystore -file cacert
  keytool -import -alias tomcat-cl -keystore client.keystore -file usercert

5. I exported server certificate and imported it as a trusted to the
trusted keystore:
  keytool -import -trustcacerts -alias tomcat -file server.cer -keystore trust.keystore

6. I imported CA Certificate to "\jre\lib\security\cacerts" :
  keytool -import -file cacert -keystore %java_home%\jre\lib\security\cacerts 
-storepass changeit

  I'm running Tomcat and test client on the same machine.
  Server keystore: %USERHOME%\.keystore
  Client keystore: %USERHOME%\client.keystore
  Client trusted keystore: %USERHOME%\trust.keystore

  Test Client:

import java.net.*;
import java.io.*;
import java.util.*;
import java.security.*;
import javax.net.ssl.*;

public class SimpleClient {

public static void main(String[] args) {
System.setProperty("javax.net.ssl.trustStore", 
System.getProperty("user.home")+File.separator +"trust.keystore");

System.setProperty("javax.net.ssl.keyStore", 
System.getProperty("user.home")+File.separator +"client.keystore");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");

InputStream is = null;
OutputStream os = new ByteArrayOutputStream();

try {
URL url = new URL("https://localhost:8443/readme.txt";);

try {
is = url.openStream();

byte[] buffer = new byte[4096];
int bytes_read;
while((bytes_read = is.read(buffer)) != -1)
os.write(buffer, 0, bytes_read);

System.out.println(os.toString());

} catch (Exception e) { e.printStackTrace(); }
finally {
try {
is.close();
os.close();
} catch (IOException e) { e.printStackTrace(); }
}

} catch (Exception e) { e.printStackTrace(); }


}
}


With [clientAuth="false"] it works fine, but with [clientAuth="true"]
it gives an error:

java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:129)
at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)

What did I do in a wrong way?

Thanks in advance.

Best regards,
Dmitry.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SSL client authentication

2003-09-22 Thread Bill Barker 
Personally, I think that the easiest way to move an Apache cert to a Tomcat
cert is to export it to a pkcs12 file and use that as the keystore (of
course, setting keystoreType="pkcs12" on the Factory element).

Using OpenSSL, something like:
$ openssl pkcs12 -export -chain -inkey server.key -in server.crt -CAfile
ca.crt \
   -name tomcat -caname root -out server.p12

"Twan Munster" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]

Hello,

I've always used apache http server for client authenticatien with ssl. I've
installed Tomcat now voor mij jsp's.
But I'm not able to get the ssl client authentication working. The problem
is getting my existing certificates working in tomcat. Is apache http server
it was very easy. I configured all the stuff in my httpd.conf.
I also tried to get tomcat working with keytool. But ther's something I do
wrong. I alwas get "handshake error".

Can somebody please tell me how to use keytool. I've got the following
certificates:

1 server.crt = server certificate
2 ca.crt = chain certificate
3 ca-bundle.crt = lots of certificates for client authentication
4 server.key = i really don't know how to get this one in keytool

Thnx

Twan Munster




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

SSL Client authentication woes

2003-10-01 Thread Christopher Williams 
My setup:
Windows XP Pro
JDK 1.4.1
JWSDP 1.0

I'm hoping to get SSL client authentication working for web services.  I set
up Tomcat for SSL ages ago and it works fine.  However, I run into multiple
problems when I attempt to use SSL client authentication.

I have enabled client authentication by changing the value of "clientAuth"
in server.xml to true.  I removed all  and
 entries from my web.xml as they didn't appear to have any
effect (question: am I right to do so?  I've done my research on the web and
there are no consistent instructions for what to do).

When I access https://localhost:8443/ in Internet Explorer, I get notified
that a private key is being used and the server home page displays fine.
However, when I first access the page, the following stack trace appears on
Tomcat's console:

 PoolTcpEndpoint: Handshake failed
 javax.net.ssl.SSLHandshakeException: Remote host closed connection
during handshake
 ...
 Caused by: java.io.EOFException: SSL peer shut down incorrectly
 at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
 ... 7 more
 ThreadPool: Caught exception executing
[EMAIL PROTECTED], terminating thread
 java.lang.NullPointerException
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:512)
...

Does anybody know what the problem is here?

The second thing is, I want to know who's accessing pages and web services.
That's the whole point of authentication, right?  However, when SSL client
authentication is in force, the following calls all return null:

request.getUserPrincipal()
request.getRemoteUser()
request.getAttribute("javax.servlet.request.X509Certificate")
request.getAttribute("org.apache.coyote.request.X509Certificate")

This seems most bizarre.  At some point these calls must return non-null
values as they are used in
org.apache.catalina.authenticator.SSLAuthenticator.  Does anybody know
whether there are any server settings to make these calls return the correct
values?

Ideally, I would like to have just one or two URL-patterns protected by SSL,
like you do with HTTP authentication rather than it being all or nothing.
Is this possible with Tomcat?

Kind regards,

Chris Williams.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

ssl client authentication again

2003-10-10 Thread Twan Munster 
Hello,

I've worked around with using apache+mod_ssl, but i'm running in several problems now 
so please can somebody help me with the next problem:

I've always used apache http server for client authenticatien with ssl. I've installed 
Tomcat now voor mij jsp's.
But I'm not able to get the ssl client authentication working. The problem is getting 
my existing certificates working in tomcat. Is apache http server it was very easy. I 
configured all the stuff in my httpd.conf. 
I also tried to get tomcat working with keytool. But ther's something I do wrong. I 
alwas get "handshake error".

Can somebody please tell me how to use keytool. I've got the following certificates:

1 server.crt = server certificate
2 ca.crt = chain certificate
3 ca-bundle.crt = lots of certificates for client authentication
4 server.key = i really don't know how to get this one in keytool

Thnx

Twan Munster

Re: SSL Client authentication

2004-01-17 Thread Bill Barker 
It sounds like your client is trying to send a self-signed cert (which won't
work).  The client needs to send a cert that is signed by somebody in the
TrustStore.

"tkassem" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi All,
>
> Using jboss-3.2.3-tomact 4.1.29, i've got both server and client
> authentication fully working. Using the same keystore and with
> clientAuth set to false, everything works fine, but when i set
> clientAuth to 'true', the server fails to authenticate my client.
> My connector in .../jbossweb-tomcat.sar/META-INF/jboss-service.xml is...
>
>
>  port="8443" minProcessors="5" maxProcessors="75" enableLookups="true"
> acceptCount="10" debug="5" scheme="https" secure="true">
> 
> keystoreFile="/opt/local/.keystore" keystorePass="picalo"
> clientAuth="true" protocol="SSLv3"/>
>
>
> The log file error indicates the handshake failed - 'null cert chain'.
>
>
> any help.
>
>
>
>




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat SSL Client Authentication

2005-04-27 Thread lercoli 
Hello

I've configured Tomcat SSL Client Authentication with these settings :



web.xml

...




Entire Application

/*

GET

POST





CONFIDENTIAL








CLIENT-CERT

 

.



server.xml

.





...



Client certificate (client.cer) is installed in my IE Browser (version 6.0.28).

When I invoke htpps://localhost:8443/myweapp appears a window that asks me to 
accept the server certificate.

I accept and my webapp index page appears.

So why I don't see a window for client authentication ?

And why I 've the same behaviour also when I remove the client.cer from my 
Browser ?

It seems that client-certification doesn't work.



Any help would be greatly appreciated.



Thank You



Luca Ercoli

Help with ssl client authentication

2001-08-31 Thread Ricardo 

Hi all, and thanks for reading me ...

I have read a lot of posts about client authentication with tomcat and i
"""pray""" to somebody for giving a
final solution to this problem in Tomcat 4.0 b7.
I mean, could somebody describe all the process (commands used) of the
certificates generation (keytool + openssl), conversion and instalation
of this certificates in the tomcat keystore and IE ?

Thank in advance,


Ricardo Borillo Domenech
Programació - Servei d'Informàtica
Universitat Jaume I

Tomcat 4 - SSL - Client Authentication

2003-01-18 Thread Shiva.Devaguptapu 
Hi,
I am using Tomcat 4 on a linux system. I am trying to enable SSL
with
client authentication enabled. I want the client to be the Internet
Explorer, running
on Win2K, my desktop. I found the following steps on the net and tried.
*   Create keys on the server
*   Create the certificate on the server
*   Uncomment the required part in the server.xml of Tomcat
*   Enter appropriate values for the attributes in server.xml as :

  

*   Create keys on the client
*   Create the certificate on the client
*   Import the cliet certificate on the server
*   Import the client certificate into Internet Explorer
Now I started tomcat and I tried to access from the IE, the URL
https://192.168.200.12:8453 - then the Client Authentication dialog box
appears
without any certificates in the list, as a result I cannot select any
certificate, and
if I click on OK button, it says page cannot be displayed.
I also tried importing the client certificate into
$JAVA_HOME/jre/lib/security/cacerts
on the serverand even that did not solve the problem and even I tried
importing
the server certificate on the client side into
$JAVA_HOME/jre/lib/security/cacerts
and into IE as well and even after the problem is not solved.
I am including all the commands I used to perform the above steps.
Can anyone help me out in getting this done.
Thanks in advance,
Shiva.

=
Commnands used
=
***For generating server keys on Linux***
keytool -genkey -alias tomcat-sv \
  -keyalg RSA -keypass changeit \
  -storepass changeit \
  -keystore $CATALINA_HOME/keystore/server.keystore
***this keystore directory is created by me***
---
***For generating server cetificate on Linux***
keytool -export -alias tomcat-sv \
  -storepass changeit \
  -file server.cer \
  -keystore $CATALINA_HOME/keystore/server.keystore
---
***For generating client keys on Win2K***
keytool -genkey -alias tomcat-cl ^
  -keyalg RSA -keypass changeit ^
  -storepass changeit ^
  -keystore C:\ssltest\mykeystore\client.keystore
---
***For generating client cetificate on Win2K***
keytool -export -alias tomcat-cl ^
  -storepass changeit ^
  -file C:\ssltest\client.cer ^
  -keystore C:\ssltest\mykeystore\client.keystore
---
***For importing the client certificate on the server***
keytool -import -v -trustcacerts \
  -alias tomcat -file client.cer \
  -keypass changeit \
  -storepass changeit \
  -keystore /home/lotto/lotto/utilities/tomcat/keystore/server.keystore
=

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Tomcat 4 - SSL - Client Authentication

2003-01-20 Thread Shiva.Devaguptapu 
Hi,
I am using Tomcat 4 on a linux system. I am trying to enable SSL
with
client authentication enabled. I want the client to be the Internet
Explorer, running
on Win2K, my desktop. I found the following steps on the net and tried.
*   Create keys on the server
*   Create the certificate on the server
*   Uncomment the required part in the server.xml of Tomcat
*   Enter appropriate values for the attributes in server.xml as :

  

*   Create keys on the client
*   Create the certificate on the client
*   Import the cliet certificate on the server
*   Import the client certificate into Internet Explorer
Now I started tomcat and I tried to access from the IE, the URL
https://192.168.200.12:8453 - then the Client Authentication dialog box
appears
without any certificates in the list, as a result I cannot select any
certificate, and
if I click on OK button, it says page cannot be displayed.
I also tried importing the client certificate into
$JAVA_HOME/jre/lib/security/cacerts
on the serverand even that did not solve the problem and even I tried
importing
the server certificate on the client side into
$JAVA_HOME/jre/lib/security/cacerts
and into IE as well and even after the problem is not solved.
I am including all the commands I used to perform the above steps.
Can anyone help me out in getting this done.
Thanks in advance,
Shiva.

=
Commnands used
=
***For generating server keys on Linux***
keytool -genkey -alias tomcat-sv \
  -keyalg RSA -keypass changeit \
  -storepass changeit \
  -keystore $CATALINA_HOME/keystore/server.keystore
***this keystore directory is created by me***
---
***For generating server cetificate on Linux***
keytool -export -alias tomcat-sv \
  -storepass changeit \
  -file server.cer \
  -keystore $CATALINA_HOME/keystore/server.keystore
---
***For generating client keys on Win2K***
keytool -genkey -alias tomcat-cl ^
  -keyalg RSA -keypass changeit ^
  -storepass changeit ^
  -keystore C:\ssltest\mykeystore\client.keystore
---
***For generating client cetificate on Win2K***
keytool -export -alias tomcat-cl ^
  -storepass changeit ^
  -file C:\ssltest\client.cer ^
  -keystore C:\ssltest\mykeystore\client.keystore
---
***For importing the client certificate on the server***
keytool -import -v -trustcacerts \
  -alias tomcat -file client.cer \
  -keypass changeit \
  -storepass changeit \
  -keystore /home/lotto/lotto/utilities/tomcat/keystore/server.keystore
=

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: Tomcat: SSL client authentication

2003-07-26 Thread Bill Barker 
You can't generally use a self-signed client cert with JSSE (you can
configure PureTLS to accept it, but another bug means that you'd have to
wait for 4.1.26).  The work-around is way too much trouble for the sysadmin,
and I don't feel like being an enabler for a true hideous design.  So,
you'll just have to read the JSSE docs for yourself ;-).

If you need to issue your own client-certs, I'd suggest setting up your own
CA (with OpenSSL or otherwise), and import your CA's cert into cacerts.  You
can then hand out client certs, and Tomcat will accept them.

"Dmitry S.Rogulin" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hello all,
>
> Sorry for the previous e-mail. %)
>
> This theme was discussed about month ago. I tried to use what I've
> found but I'm still having a problem...
>
> I'm trying to do SSL client authentication with Tomcat 4.1.18
(clientAuth="true").
>
> 1. I've generated a client certificate using keytool:
>   keytool -genkey -alias tomcat-cl -keyalg RSA -keystore client.keystore
>
> 2. Then I created Certificate Signing Request:
>   keytool -certreq -keyalg RSA -alias tomcat-cl -file
certreq.csr -keystore client.keystore
>
> 3. I sent it to CA and got a signed certificate and CA Certificate.
> 4. I imported them to the client keystore:
>   keytool -import -alias root -keystore client.keystore -file cacert
>   keytool -import -alias tomcat-cl -keystore client.keystore -file
usercert
>
> 5. I exported server certificate and imported it as a trusted to the
> trusted keystore:
>   keytool -import -trustcacerts -alias tomcat -file server.cer -keystore
trust.keystore
>
> 6. I imported CA Certificate to "\jre\lib\security\cacerts" :
>   keytool -import -file cacert -keystore
%java_home%\jre\lib\security\cacerts -storepass changeit
>
>   I'm running Tomcat and test client on the same machine.
>   Server keystore: %USERHOME%\.keystore
>   Client keystore: %USERHOME%\client.keystore
>   Client trusted keystore: %USERHOME%\trust.keystore
>
>   Test Client:
> 
> import java.net.*;
> import java.io.*;
> import java.util.*;
> import java.security.*;
> import javax.net.ssl.*;
>
> public class SimpleClient {
>
> public static void main(String[] args) {
> System.setProperty("javax.net.ssl.trustStore",
System.getProperty("user.home")+File.separator +"trust.keystore");
>
> System.setProperty("javax.net.ssl.keyStore",
System.getProperty("user.home")+File.separator +"client.keystore");
> System.setProperty("javax.net.ssl.keyStorePassword",
"changeit");
>
> InputStream is = null;
> OutputStream os = new ByteArrayOutputStream();
>
> try {
> URL url = new
URL("https://localhost:8443/readme.txt";);
>
> try {
> is = url.openStream();
>
> byte[] buffer = new byte[4096];
> int bytes_read;
> while((bytes_read = is.read(buffer))
!= -1)
> os.write(buffer, 0, bytes_read);
>
> System.out.println(os.toString());
>
> } catch (Exception e) { e.printStackTrace(); }
> finally {
> try {
> is.close();
> os.close();
> } catch (IOException e) {
e.printStackTrace(); }
> }
>
> } catch (Exception e) { e.printStackTrace(); }
>
>
> }
> }
> 
>
> With [clientAuth="false"] it works fine, but with [clientAuth="true"]
> it gives an error:
>
> java.net.SocketException: Software caused connection abort: recv failed
> at java.net.SocketInputStream.socketRead0(Native Method)
> at java.net.SocketInputStream.read(SocketInputStream.java:129)
> at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275)
> at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
>
> What did I do in a wrong way?
>
> Thanks in advance.
>
> Best regards,
> Dmitry.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SSL Client authentication woes

2003-10-01 Thread Bill Barker 

"Christopher Williams" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> My setup:
> Windows XP Pro
> JDK 1.4.1
> JWSDP 1.0
>
> I'm hoping to get SSL client authentication working for web services.  I
set
> up Tomcat for SSL ages ago and it works fine.  However, I run into
multiple
> problems when I attempt to use SSL client authentication.
>
> I have enabled client authentication by changing the value of "clientAuth"
> in server.xml to true.  I removed all  and
>  entries from my web.xml as they didn't appear to have any
> effect (question: am I right to do so?  I've done my research on the web
and
> there are no consistent instructions for what to do).
>

Tomcat currently has only very light support for this, but this is
orthogonal to your current problem.

> When I access https://localhost:8443/ in Internet Explorer, I get notified
> that a private key is being used and the server home page displays fine.
> However, when I first access the page, the following stack trace appears
on
> Tomcat's console:
>
>  PoolTcpEndpoint: Handshake failed
>  javax.net.ssl.SSLHandshakeException: Remote host closed connection
> during handshake
>  ...
>  Caused by: java.io.EOFException: SSL peer shut down incorrectly
>  at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
>  ... 7 more
>  ThreadPool: Caught exception executing
> [EMAIL PROTECTED], terminating thread
>  java.lang.NullPointerException
> at
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:512)
> ...
>
> Does anybody know what the problem is here?

Tomcat obviously doesn't like your client-cert, or (more likely) you don't
have any.  By default, only Verisign & Thwate signed client certs are
recoginized (at least with Sun's JVM).  If this is your problem, then you
need to set up a TrustStore (or import the signer into cacerts).  Searching
the archives for 'TrustStore' will give you an answer faster than waiting on
me.

>
> The second thing is, I want to know who's accessing pages and web
services.
> That's the whole point of authentication, right?  However, when SSL client
> authentication is in force, the following calls all return null:
>
> request.getUserPrincipal()
> request.getRemoteUser()
> request.getAttribute("javax.servlet.request.X509Certificate")
> request.getAttribute("org.apache.coyote.request.X509Certificate")
>
> This seems most bizarre.  At some point these calls must return non-null
> values as they are used in
> org.apache.catalina.authenticator.SSLAuthenticator.  Does anybody know
> whether there are any server settings to make these calls return the
correct
> values?
>
> Ideally, I would like to have just one or two URL-patterns protected by
SSL,
> like you do with HTTP authentication rather than it being all or nothing.
> Is this possible with Tomcat?
>

This is in the FAQ.

> Kind regards,
>
> Chris Williams.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat 4 + ssl + client authentication

2003-10-09 Thread Kenneth Westelinck 
Hi all,

I've been searching the internet for 2 days now and still haven't found a 
solution for my problem. I am trying to set up a Tomcat 4 server running in 
HTTPS mode, contacted by a client written in Java. The client is using 
HTTPClient from apache. I have done everything the document at 
http://ws.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html describes. 
If I disable client authentication in the tomcat config, the client is able 
to comunicate with the server. If I enable the authentication the client 
aborts with the following exception:
java.net.SocketException: Software caused connection abort: JVM_recv in 
socket input stream read
	at java.net.SocketInputStream.socketRead0(Native Method)
...

I enabled all possible debugging on the Tomcat server and this is part of 
what I found in the console:
Thread-10, WRITE:  SSL v3.1 Handshake, length = 625
Thread-10, READ:  SSL v3.1 Handshake, length = 141
*** Certificate chain
***
Thread-10, SEND SSL v3.1 ALERT:  fatal, description = bad_certificate
Thread-10, WRITE:  SSL v3.1 Alert, length = 2

The client's certificate cannot be bad. It was signed with the server's key 
and it's in the server's keystore.

I have no idea what is goin wrong. Can someone tell me how to make this 
work?

MTIA

regards,

Kenneth

_
Op zoek naar makkelijk recept? http://www.msn.be/culinair
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: ssl client authentication again

2003-10-10 Thread Bill Barker 
The Tomcat 5 docs have an example for this:
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html

Since it's just about setting up the KeyStore, this section applies to
Tomcat 4 (or even Tomcat 3 :) as well.

"Twan Munster" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Hello,

I've worked around with using apache+mod_ssl, but i'm running in several
problems now so please can somebody help me with the next problem:

I've always used apache http server for client authenticatien with ssl. I've
installed Tomcat now voor mij jsp's.
But I'm not able to get the ssl client authentication working. The problem
is getting my existing certificates working in tomcat. Is apache http server
it was very easy. I configured all the stuff in my httpd.conf.
I also tried to get tomcat working with keytool. But ther's something I do
wrong. I alwas get "handshake error".

Can somebody please tell me how to use keytool. I've got the following
certificates:

1 server.crt = server certificate
2 ca.crt = chain certificate
3 ca-bundle.crt = lots of certificates for client authentication
4 server.key = i really don't know how to get this one in keytool

Thnx

Twan Munster




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

2 way SSL ( client authentication)

2003-12-28 Thread Amjad Shahrour 
Hi all,

 

I am trying to implement 2 way SSL ( client authentication) on tomcat 4.

 

 I am following all steps.

But still have something missing.  ( all documentations descrips how to
deal with certificates that are varified by CA).

 

I need to know how to generate a normal self-signed certificate and how
to use it in a proper way.

 

Thnx.

 

 

 

Amjad Shahrour

Application Developer

Tel: +966.2.653.3334 ext 213

[EMAIL PROTECTED]

www.labbaik.com

Re: Tomcat SSL Client Authentication

2005-04-27 Thread ohaya 
Hi,

I believe that the "clientAuth" needs to be set to "true" in the
server.xml.

Jim



lercoli wrote:
> 
> Hello
> 
> I've configured Tomcat SSL Client Authentication with these settings :
> 
> web.xml
> 
> ...
> 
> 
> 
> 
> Entire Application
> 
> /*
> 
> GET
> 
> POST
> 
> 
> 
> 
> 
> CONFIDENTIAL
> 
> 
> 
> 
> 
> 
> 
> CLIENT-CERT
> 
> 
> 
> .
> 
> server.xml
> 
> .
> 
>  
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> 
> enableLookups="false" disableUploadTimeout="true"
> 
> acceptCount="100" scheme="https" secure="true"
> 
> clientAuth="false" sslProtocol="TLS"
> 
> keystoreFile="D:\jdk1.5.0_02\bin\keystore.jks" keystorePass="changeit"
> 
> truststoreFile="D:\jdk1.5.0_02\bin\cacerts.jks" />
> 
> ...
> 
> Client certificate (client.cer) is installed in my IE Browser (version 
> 6.0.28).
> 
> When I invoke htpps://localhost:8443/myweapp appears a window that asks me to 
> accept the server certificate.
> 
> I accept and my webapp index page appears.
> 
> So why I don't see a window for client authentication ?
> 
> And why I 've the same behaviour also when I remove the client.cer from my 
> Browser ?
> 
> It seems that client-certification doesn't work.
> 
> Any help would be greatly appreciated.
> 
> Thank You
> 
> Luca Ercoli

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat SSL Client Authentication

2005-04-27 Thread lercoli 
Hi Jim

I've tried with clientAuth = true but server certificate window doesn't
appear and I get page not found error.

- Original Message - 
From: "ohaya" <[EMAIL PROTECTED]>
To: "Tomcat Users List" 
Sent: Wednesday, April 27, 2005 12:49 PM
Subject: Re: Tomcat SSL Client Authentication


> Hi,
>
> I believe that the "clientAuth" needs to be set to "true" in the
> server.xml.
>
> Jim
>
>
>
> lercoli wrote:
> >
> > Hello
> >
> > I've configured Tomcat SSL Client Authentication with these settings :
> >
> > web.xml
> >
> > ...
> > 
> >
> > 
> >
> > Entire Application
> >
> > /*
> >
> > GET
> >
> > POST
> >
> > 
> >
> > 
> >
> > CONFIDENTIAL
> >
> > 
> >
> > 
> >
> > 
> >
> > CLIENT-CERT
> >
> > 
> >
> > .
> >
> > server.xml
> >
> > .
> >
> >  >
> > maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> >
> > enableLookups="false" disableUploadTimeout="true"
> >
> > acceptCount="100" scheme="https" secure="true"
> >
> > clientAuth="false" sslProtocol="TLS"
> >
> > keystoreFile="D:\jdk1.5.0_02\bin\keystore.jks" keystorePass="changeit"
> >
> > truststoreFile="D:\jdk1.5.0_02\bin\cacerts.jks" />
> >
> > ...
> >
> > Client certificate (client.cer) is installed in my IE Browser (version
6.0.28).
> >
> > When I invoke htpps://localhost:8443/myweapp appears a window that asks
me to accept the server certificate.
> >
> > I accept and my webapp index page appears.
> >
> > So why I don't see a window for client authentication ?
> >
> > And why I 've the same behaviour also when I remove the client.cer from
my Browser ?
> >
> > It seems that client-certification doesn't work.
> >
> > Any help would be greatly appreciated.
> >
> > Thank You
> >
> > Luca Ercoli
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat SSL Client Authentication

2005-04-27 Thread ohaya 
Hi,

Sorry if that didn't help. 

Here's what I have in server.xml (I don't remember if I had to change
anything outside of server.xml to enable client authentication):




Jim

P.S.  When I was doing this (which was awhile ago), I didn't find any
way to get Tomcat to check for client cert revocations (i.e., CRL
checking).  I don't know if that has changed at all since then.


lercoli wrote:
> 
> Hi Jim
> 
> I've tried with clientAuth = true but server certificate window doesn't
> appear and I get page not found error.
> 
> - Original Message -
> From: "ohaya" <[EMAIL PROTECTED]>
> To: "Tomcat Users List" 
> Sent: Wednesday, April 27, 2005 12:49 PM
> Subject: Re: Tomcat SSL Client Authentication
> 
> > Hi,
> >
> > I believe that the "clientAuth" needs to be set to "true" in the
> > server.xml.
> >
> > Jim
> >
> >
> >
> > lercoli wrote:
> > >
> > > Hello
> > >
> > > I've configured Tomcat SSL Client Authentication with these settings :
> > >
> > > web.xml
> > >
> > > ...
> > > 
> > >
> > > 
> > >
> > > Entire Application
> > >
> > > /*
> > >
> > > GET
> > >
> > > POST
> > >
> > > 
> > >
> > > 
> > >
> > > CONFIDENTIAL
> > >
> > > 
> > >
> > > 
> > >
> > > 
> > >
> > > CLIENT-CERT
> > >
> > > 
> > >
> > > .
> > >
> > > server.xml
> > >
> > > .
> > >
> > >  > >
> > > maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> > >
> > > enableLookups="false" disableUploadTimeout="true"
> > >
> > > acceptCount="100" scheme="https" secure="true"
> > >
> > > clientAuth="false" sslProtocol="TLS"
> > >
> > > keystoreFile="D:\jdk1.5.0_02\bin\keystore.jks" keystorePass="changeit"
> > >
> > > truststoreFile="D:\jdk1.5.0_02\bin\cacerts.jks" />
> > >
> > > ...
> > >
> > > Client certificate (client.cer) is installed in my IE Browser (version
> 6.0.28).
> > >
> > > When I invoke htpps://localhost:8443/myweapp appears a window that asks
> me to accept the server certificate.
> > >
> > > I accept and my webapp index page appears.
> > >
> > > So why I don't see a window for client authentication ?
> > >
> > > And why I 've the same behaviour also when I remove the client.cer from
> my Browser ?
> > >
> > > It seems that client-certification doesn't work.
> > >
> > > Any help would be greatly appreciated.
> > >
> > > Thank You
> > >
> > > Luca Ercoli
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat SSL Client Authentication

2005-04-27 Thread Darryl Wilburn 
What version of TC?  I've read something about
configuring the HTTPS connector to perform SSL client
certificate authorization.  I'm agree with Jim, in
server.xml, the clientAuth should be set to true. 
That is the correct setting, if you get a page not
found, that doesn't mean the cert didn't work... 
Also, the name on the client cert must be exactly the
same as the one in the user database.  I've also read
that you don't need and security-constraints to use
the CLIENT-CERT unless you're also using a separeat
Realm.

DW

--- lercoli <[EMAIL PROTECTED]> wrote:
> Hi Jim
> 
> I've tried with clientAuth = true but server
> certificate window doesn't
> appear and I get page not found error.
> 
> - Original Message - 
> From: "ohaya" <[EMAIL PROTECTED]>
> To: "Tomcat Users List"
> 
> Sent: Wednesday, April 27, 2005 12:49 PM
> Subject: Re: Tomcat SSL Client Authentication
> 
> 
> > Hi,
> >
> > I believe that the "clientAuth" needs to be set to
> "true" in the
> > server.xml.
> >
> > Jim
> >
> >
> >
> > lercoli wrote:
> > >
> > > Hello
> > >
> > > I've configured Tomcat SSL Client Authentication
> with these settings :
> > >
> > > web.xml
> > >
> > > ...
> > > 
> > >
> > > 
> > >
> > > Entire
> Application
> > >
> > > /*
> > >
> > > GET
> > >
> > > POST
> > >
> > > 
> > >
> > > 
> > >
> > >
>
CONFIDENTIAL
> > >
> > > 
> > >
> > > 
> > >
> > > 
> > >
> > > CLIENT-CERT
> > >
> > > 
> > >
> > > .
> > >
> > > server.xml
> > >
> > > .
> > >
> > >  > >
> > > maxThreads="150" minSpareThreads="25"
> maxSpareThreads="75"
> > >
> > > enableLookups="false"
> disableUploadTimeout="true"
> > >
> > > acceptCount="100" scheme="https" secure="true"
> > >
> > > clientAuth="false" sslProtocol="TLS"
> > >
> > > keystoreFile="D:\jdk1.5.0_02\bin\keystore.jks"
> keystorePass="changeit"
> > >
> > > truststoreFile="D:\jdk1.5.0_02\bin\cacerts.jks"
> />
> > >
> > > ...
> > >
> > > Client certificate (client.cer) is installed in
> my IE Browser (version
> 6.0.28).
> > >
> > > When I invoke htpps://localhost:8443/myweapp
> appears a window that asks
> me to accept the server certificate.
> > >
> > > I accept and my webapp index page appears.
> > >
> > > So why I don't see a window for client
> authentication ?
> > >
> > > And why I 've the same behaviour also when I
> remove the client.cer from
> my Browser ?
> > >
> > > It seems that client-certification doesn't work.
> > >
> > > Any help would be greatly appreciated.
> > >
> > > Thank You
> > >
> > > Luca Ercoli
> >
> >
>
-
> > To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> > For additional commands, e-mail:
> [EMAIL PROTECTED]
> >
> >
> >
> 
> 
> 
>
-
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
> 
> 

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat SSL Client Authentication

2005-04-27 Thread lercoli 
Tomcat version 5.5.9 (JDK 1.5.0_02 and Windows 2000 Professional).

Client certificate username is a tomcat user (with which I've already
successfully tested in DIGEST authentication).

The strange thing is that when I set authClient to true I never see the the
alert window of the server certificate
(while instead appears with clientAuth = false).

- Original Message - 
From: "Darryl Wilburn" <[EMAIL PROTECTED]>
To: "Tomcat Users List" 
Sent: Wednesday, April 27, 2005 3:55 PM
Subject: Re: Tomcat SSL Client Authentication


> What version of TC?  I've read something about
> configuring the HTTPS connector to perform SSL client
> certificate authorization.  I'm agree with Jim, in
> server.xml, the clientAuth should be set to true.
> That is the correct setting, if you get a page not
> found, that doesn't mean the cert didn't work...
> Also, the name on the client cert must be exactly the
> same as the one in the user database.  I've also read
> that you don't need and security-constraints to use
> the CLIENT-CERT unless you're also using a separeat
> Realm.
>
> DW
>
> --- lercoli <[EMAIL PROTECTED]> wrote:
> > Hi Jim
> >
> > I've tried with clientAuth = true but server
> > certificate window doesn't
> > appear and I get page not found error.
> >
> > ----- Original Message ----- 
> > From: "ohaya" <[EMAIL PROTECTED]>
> > To: "Tomcat Users List"
> > 
> > Sent: Wednesday, April 27, 2005 12:49 PM
> > Subject: Re: Tomcat SSL Client Authentication
> >
> >
> > > Hi,
> > >
> > > I believe that the "clientAuth" needs to be set to
> > "true" in the
> > > server.xml.
> > >
> > > Jim
> > >
> > >
> > >
> > > lercoli wrote:
> > > >
> > > > Hello
> > > >
> > > > I've configured Tomcat SSL Client Authentication
> > with these settings :
> > > >
> > > > web.xml
> > > >
> > > > ...
> > > > 
> > > >
> > > > 
> > > >
> > > > Entire
> > Application
> > > >
> > > > /*
> > > >
> > > > GET
> > > >
> > > > POST
> > > >
> > > > 
> > > >
> > > > 
> > > >
> > > >
> >
> CONFIDENTIAL
> > > >
> > > > 
> > > >
> > > > 
> > > >
> > > > 
> > > >
> > > > CLIENT-CERT
> > > >
> > > > 
> > > >
> > > > .
> > > >
> > > > server.xml
> > > >
> > > > .
> > > >
> > > >  > > >
> > > > maxThreads="150" minSpareThreads="25"
> > maxSpareThreads="75"
> > > >
> > > > enableLookups="false"
> > disableUploadTimeout="true"
> > > >
> > > > acceptCount="100" scheme="https" secure="true"
> > > >
> > > > clientAuth="false" sslProtocol="TLS"
> > > >
> > > > keystoreFile="D:\jdk1.5.0_02\bin\keystore.jks"
> > keystorePass="changeit"
> > > >
> > > > truststoreFile="D:\jdk1.5.0_02\bin\cacerts.jks"
> > />
> > > >
> > > > ...
> > > >
> > > > Client certificate (client.cer) is installed in
> > my IE Browser (version
> > 6.0.28).
> > > >
> > > > When I invoke htpps://localhost:8443/myweapp
> > appears a window that asks
> > me to accept the server certificate.
> > > >
> > > > I accept and my webapp index page appears.
> > > >
> > > > So why I don't see a window for client
> > authentication ?
> > > >
> > > > And why I 've the same behaviour also when I
> > remove the client.cer from
> > my Browser ?
> > > >
> > > > It seems that client-certification doesn't work.
> > > >
> > > > Any help would be greatly appreciated.
> > > >
> > > > Thank You
> > > >
> > > > Luca Ercoli
> > >
> > >
> >
> -
> > > To unsubscribe, e-mail:
> > [EMAIL PROTECTED]
> > > For additional commands, e-mail:
> > [EMAIL PROTECTED]
> > >
> > >
> > >
> >
> >
> >
> >
> -
> > To unsubscribe, e-mail:
> > [EMAIL PROTECTED]
> > For additional commands, e-mail:
> > [EMAIL PROTECTED]
> >
> >
>
> __
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

SSL Client authentication against MemoryRealm

2005-02-25 Thread Jesus De Oliveira 
Hi,

The SSL client authentication doesn't work agains MemoryRealm, because the
authentication mechanism passes the DN of the client certificate to the
realm after validation for role assignement, but the memory realm don't
allow usernames that contains "," or "=" characters. Because the DN
contains these characters, the user can't get authenticated. I haven't
tested this with other Realms, but it's important to fix it on
MemoryRealm, used primarily for testing purposes. The tomcat version with
I'm using is 5.0.16.

Greetings
-- 
Jesus De Oliveira
Consultor IT
Baysystem Consultores C.A.
Tlf: (0212) 339.06.96
 (0414) 300.06.46



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

SSL Client authentication with standalone Tomcat

2002-02-26 Thread Brian Palmer 

I'm trying to set up for a simple project client-authentication and CA
abilities, using standalone tomcat and openssl. I'm not having
luck. The short version is, when I enable clientAuth, I am unable to
connect to the server, getting various messages (in Mozilla 0.9.8, I
get no error messages but the page will not load, using openssl
s_client I get a write error). 

Forgive me in advance for this long message, but my hope is that by
explicitly stating what I'm doing, it will be easy for someone more
experienced to see where I'm going wrong. I've spent much of the last
2 days searching online for information and trying different
approaches; most of the problems/solutions don't give a lot of details

I've done the following:

Step 1: Generate the tomcat request for certificate
keytool -genkey -alias tomcat -keyalg RSA

keytool -certreq -alias tomcat -file my.csr

Step 2: Generate the ca certificate
openssl req -new -newkey rsa:512 -nodes -out ca.req \
-keyout ca.key

openssl x509 -trustout -signkey ca.key -days 365  \
 -req -in ca.req -out ca.crt

Step 3: Sign the tomcat request to generate tomcat certificate 
openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \
 -out my.crt -req -CAcreateserial

Step 4: Import both into my keystore
keytool -import -file ca.crt -alias RootCert

keytool -import -file my.crt -alias tomcat

I can then stop and restart tomcat, and non-client-authenticated https
works. I then go on to

Step 5: Generate a client certificate
openssl req -new -newkey rsa:512 -nodes \
-out client.req -keyout client.key

openssl x509 -CA ca.crt -CAkey ca.key \
 -req -in client.req \
  -out client.crt

I then enable clientAuth="true", and try to connect to tomcat using
the openssl s_client:
openssl s_client -cert client.crt -key client.key \
 -connect localhost:8443
and get the following output:
CONNECTED(0003)
depth=1 /C=US/ST=California/L=Stanford/O=Stanford University/OU=CSD/CN=UStorit 
[EMAIL PROTECTED]
verify error:num=19:self signed certificate in certificate chain
verify return:0
write:errno=104

Any ideas? Or ideas on how to debug this? (I'm coming up against a
deadline, so any hints much appreciated)

-- 
Brian Palmer
"Whoever fights monsters should see to it that in the process he does
not become a monster. And when you look long into an abyss, the abyss
also looks into you"  - Nietzsche


--
To unsubscribe:   
For additional commands: 
Troubles with the list:

Re: Tomcat 4 - SSL - Client Authentication

2003-01-20 Thread Christopher Mark Balz 
Have you checked the permissions to the directory where your keystore is 
held?  The process running the webserver must of course be able to read 
the keystore.
- CB

Shiva.Devaguptapu wrote:

Hi,
	I am using Tomcat 4 on a linux system. I am trying to enable SSL
with
client authentication enabled. I want the client to be the Internet
Explorer, running
on Win2K, my desktop. I found the following steps on the net and tried.
*	Create keys on the server
*	Create the certificate on the server
*	Uncomment the required part in the server.xml of Tomcat
*	Enter appropriate values for the attributes in server.xml as :

className="org.apache.catalina.connector.http.HttpConnector"
   port="8453" minProcessors="5"
maxProcessors="75"
   enableLookups="true"
   acceptCount="10" debug="0"
scheme="https" secure="true">
  
className="org.apache.catalina.net.SSLServerSocketFactory"
	
keystoreFile="/home/shiva/tomcat/keystore/server.keystore"
   keystorePass="changeit"
   clientAuth="true"
protocol="TLS"/>

*	Create keys on the client
*	Create the certificate on the client
*	Import the cliet certificate on the server
*	Import the client certificate into Internet Explorer
	Now I started tomcat and I tried to access from the IE, the URL
https://192.168.200.12:8453 - then the Client Authentication dialog box
appears
without any certificates in the list, as a result I cannot select any
certificate, and
if I click on OK button, it says page cannot be displayed.
	I also tried importing the client certificate into
$JAVA_HOME/jre/lib/security/cacerts
on the serverand even that did not solve the problem and even I tried
importing
the server certificate on the client side into
$JAVA_HOME/jre/lib/security/cacerts
and into IE as well and even after the problem is not solved.
	I am including all the commands I used to perform the above steps.
Can anyone help me out in getting this done.
Thanks in advance,
Shiva.

=
Commnands used
=
***For generating server keys on Linux***
keytool -genkey -alias tomcat-sv \
 -keyalg RSA -keypass changeit \
 -storepass changeit \
 -keystore $CATALINA_HOME/keystore/server.keystore
***this keystore directory is created by me***
---
***For generating server cetificate on Linux***
keytool -export -alias tomcat-sv \
 -storepass changeit \
 -file server.cer \
 -keystore $CATALINA_HOME/keystore/server.keystore
---
***For generating client keys on Win2K***
keytool -genkey -alias tomcat-cl ^
 -keyalg RSA -keypass changeit ^
 -storepass changeit ^
 -keystore C:\ssltest\mykeystore\client.keystore
---
***For generating client cetificate on Win2K***
keytool -export -alias tomcat-cl ^
 -storepass changeit ^
 -file C:\ssltest\client.cer ^
 -keystore C:\ssltest\mykeystore\client.keystore
---
***For importing the client certificate on the server***
keytool -import -v -trustcacerts \
 -alias tomcat -file client.cer \
 -keypass changeit \
 -storepass changeit \
 -keystore /home/lotto/lotto/utilities/tomcat/keystore/server.keystore
=

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

 



--
". . . / This Cabinet is formd of Gold / And Pearl & Crystal shining bright
And within it opens into a World / . . .
Another England there I saw / Another London with its Tower
Another Thames & other Hills / And another pleasant Surrey Bower
. . ."
- from "The Crystal Cabinet", a poem by William Blake.



--
To unsubscribe, e-mail:   
For additional commands, e-mail:

RE: Tomcat 4 - SSL - Client Authentication

2003-01-20 Thread Shiva.Devaguptapu 
Yes. Read and write as well.

-Original Message-
From: Christopher Mark Balz [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 20, 2003 2:58 PM
To: Tomcat Users List
Subject: Re: Tomcat 4 - SSL - Client Authentication


Have you checked the permissions to the directory where your keystore is 
held?  The process running the webserver must of course be able to read 
the keystore.
 - CB

Shiva.Devaguptapu wrote:

>Hi,
>   I am using Tomcat 4 on a linux system. I am trying to enable SSL
>with
>client authentication enabled. I want the client to be the Internet
>Explorer, running
>on Win2K, my desktop. I found the following steps on the net and tried.
>*  Create keys on the server
>*  Create the certificate on the server
>*  Uncomment the required part in the server.xml of Tomcat
>*  Enter appropriate values for the attributes in server.xml as :
>   className="org.apache.catalina.connector.http.HttpConnector"
>  port="8453" minProcessors="5"
>maxProcessors="75"
>  enableLookups="true"
>  acceptCount="10" debug="0"
>scheme="https" secure="true">
> className="org.apache.catalina.net.SSLServerSocketFactory"
>   
>keystoreFile="/home/shiva/tomcat/keystore/server.keystore"
>  keystorePass="changeit"
>  clientAuth="true"
>protocol="TLS"/>
>   
>*  Create keys on the client
>*  Create the certificate on the client
>*  Import the cliet certificate on the server
>*  Import the client certificate into Internet Explorer
>   Now I started tomcat and I tried to access from the IE, the URL
>https://192.168.200.12:8453 - then the Client Authentication dialog box
>appears
>without any certificates in the list, as a result I cannot select any
>certificate, and
>if I click on OK button, it says page cannot be displayed.
>   I also tried importing the client certificate into
>$JAVA_HOME/jre/lib/security/cacerts
>on the serverand even that did not solve the problem and even I tried
>importing
>the server certificate on the client side into
>$JAVA_HOME/jre/lib/security/cacerts
>and into IE as well and even after the problem is not solved.
>   I am including all the commands I used to perform the above steps.
>Can anyone help me out in getting this done.
>Thanks in advance,
>Shiva.
>
>=
>Commnands used
>=
>***For generating server keys on Linux***
>keytool -genkey -alias tomcat-sv \
>  -keyalg RSA -keypass changeit \
>  -storepass changeit \
>  -keystore $CATALINA_HOME/keystore/server.keystore
>***this keystore directory is created by me***
>---
>***For generating server cetificate on Linux***
>keytool -export -alias tomcat-sv \
>  -storepass changeit \
>  -file server.cer \
>  -keystore $CATALINA_HOME/keystore/server.keystore
>---
>***For generating client keys on Win2K***
>keytool -genkey -alias tomcat-cl ^
>  -keyalg RSA -keypass changeit ^
>  -storepass changeit ^
>  -keystore C:\ssltest\mykeystore\client.keystore
>---
>***For generating client cetificate on Win2K***
>keytool -export -alias tomcat-cl ^
>  -storepass changeit ^
>  -file C:\ssltest\client.cer ^
>  -keystore C:\ssltest\mykeystore\client.keystore
>---
>***For importing the client certificate on the server***
>keytool -import -v -trustcacerts \
>  -alias tomcat -file client.cer \
>  -keypass changeit \
>  -storepass changeit \
>  -keystore /home/lotto/lotto/utilities/tomcat/keystore/server.keystore
>=
>
>--
>To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
>For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
>  
>


-- 
". . . / This Cabinet is formd of Gold / And Pearl & Crystal shining bright
And within it opens into a World / . . .
Another England there I saw / Another London with its Tower
Another Thames & other Hills / And another pleasant Surrey Bower
. . ."
- from "The Crystal Cabinet", a poem by William Blake.



--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

SSL client authentication with mod_ssl+mod_jk

2003-03-06 Thread Aaron Stromas 
Hi,

If somebody has a working client SSL authentication for Apache 1.3.*,
mod_ssl/mod_jk, i.e., ajp mounts that require client certificate
(SSLVerifyClient require), I'd be very grateful to see the appropriate
pieces of configuration files. Thank you.

-a
-- 
Aaron Stromas | "Tik-tik-tik!!!... ja, Pantani is weg..."
[EMAIL PROTECTED]| BRTN commentator
+1 (301) 493 4933 | L'Alpe d'Huez
http://www.izoard.com | 1995 Tour de France




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

SSL client authentication with IE 6.0

2003-06-06 Thread Duma Rolando 
I'm running Tomcat 4.1.24 standalone with SSL client authentication
enabled.Internet Explorer 6.0 when I try to access the server pops up a
window that ask me which certificate will be used for client authentication,
but the list of certificates is empty!
I've tested my browser on apache with mod_ssl and client authentication, and
IE pops up the same window but in this case my personal certificate is
present.
This is the only tomcat connector configured on my PC.


  

Thanks for your help.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

SSL client authentication with tomcat 4.1.24

2003-06-06 Thread Duma Rolando 
Is there anyone that have a running tomcat 4.1.24 standalone server with SSL
and clientAuth="true"?
My current config doesn't work ( i.e. Internet Explorer doesn't display my
personal certificate, Mozilla displays an error message ).I tried with only
one SSL connector on port 443 and with also an http connector on port 80
without success.I would like to know if I'm wasting time or there are
"success stories" about this in this community.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re[2]: Tomcat: SSL client authentication

2003-07-27 Thread Dmitry S.Rogulin 

But (as I pointed out in 3.,4. and 6) I have client cert and CA cert.
The latter I imported to the cacert.
I tried to do the same without Tomact but with very simple HTTP(s)
server and got the same result. So I suggest that I did something
wrong with creating/importing certs.

But what's wrong?

BB> You can't generally use a self-signed client cert with JSSE (you can
BB> configure PureTLS to accept it, but another bug means that you'd have to
BB> wait for 4.1.26).  The work-around is way too much trouble for the sysadmin,
BB> and I don't feel like being an enabler for a true hideous design.  So,
BB> you'll just have to read the JSSE docs for yourself ;-).

BB> If you need to issue your own client-certs, I'd suggest setting up your own
BB> CA (with OpenSSL or otherwise), and import your CA's cert into cacerts.  You
BB> can then hand out client certs, and Tomcat will accept them.

BB> "Dmitry S.Rogulin" wrote in message
BB> news:[EMAIL PROTECTED]
>> Hello all,
>>
>> Sorry for the previous e-mail. %)
>>
>> This theme was discussed about month ago. I tried to use what I've
>> found but I'm still having a problem...
>>
>> I'm trying to do SSL client authentication with Tomcat 4.1.18
BB> (clientAuth="true").
>>
>> 1. I've generated a client certificate using keytool:
>>   keytool -genkey -alias tomcat-cl -keyalg RSA -keystore client.keystore
>>
>> 2. Then I created Certificate Signing Request:
>>   keytool -certreq -keyalg RSA -alias tomcat-cl -file
BB> certreq.csr -keystore client.keystore
>>
>> 3. I sent it to CA and got a signed certificate and CA Certificate.
>> 4. I imported them to the client keystore:
>>   keytool -import -alias root -keystore client.keystore -file cacert
>>   keytool -import -alias tomcat-cl -keystore client.keystore -file
BB> usercert
>>
>> 5. I exported server certificate and imported it as a trusted to the
>> trusted keystore:
>>   keytool -import -trustcacerts -alias tomcat -file server.cer -keystore
BB> trust.keystore
>>
>> 6. I imported CA Certificate to "\jre\lib\security\cacerts" :
>>   keytool -import -file cacert -keystore
BB> %java_home%\jre\lib\security\cacerts -storepass changeit
>>
>>   I'm running Tomcat and test client on the same machine.
>>   Server keystore: %USERHOME%\.keystore
>>   Client keystore: %USERHOME%\client.keystore
>>   Client trusted keystore: %USERHOME%\trust.keystore
>>
>>   Test Client:
>> 
>> import java.net.*;
>> import java.io.*;
>> import java.util.*;
>> import java.security.*;
>> import javax.net.ssl.*;
>>
>> public class SimpleClient {
>>
>> public static void main(String[] args) {
>> System.setProperty("javax.net.ssl.trustStore",
BB> System.getProperty("user.home")+File.separator +"trust.keystore");
>>
>> System.setProperty("javax.net.ssl.keyStore",
BB> System.getProperty("user.home")+File.separator +"client.keystore");
>> System.setProperty("javax.net.ssl.keyStorePassword",
BB> "changeit");
>>
>> InputStream is = null;
>> OutputStream os = new ByteArrayOutputStream();
>>
>> try {
>> URL url = new
BB> URL("https://localhost:8443/readme.txt";);
>>
>> try {
>> is = url.openStream();
>>
>> byte[] buffer = new byte[4096];
>> int bytes_read;
>> while((bytes_read = is.read(buffer))
BB> != -1)
>> os.write(buffer, 0, bytes_read);
>>
>> System.out.println(os.toString());
>>
>> } catch (Exception e) { e.printStackTrace(); }
>> finally {
>> try {
>> is.close();
>> os.close();
>> } catch (IOException e) {
BB> e.printStackTrace(); }
>> }
>>
>> } catch (Exception e) { e.printStackTrace(); }
>>
>>
>> }
>> }
>> 
>>
>> With [clientAuth="false"] it works fine, but with

Re[4]: Tomcat: SSL client authentication

2003-07-28 Thread Dmitry S.Rogulin 
Hi Bill,

Thanks for answering.

I did solve the problem.
My client certificate is not self-signed (as I pointed out in 2.-4.).
So I have a certificate signed by my CA.

The problem was solved by setting CATALINA_OPTS system variable before
starting Tomcat:
set CATALINA_OPTS=-Djavax.net.ssl.trustStore=server.truststore
where "server.truststore" contains only imported CA certificate.

It seems that Tomcat doesn't use %JAVA_HOME%\jre\lib\security\cacerts
as a truststore by default (I did import CA cert into the cacerts) as
I understood from previous discussions.

Thanks!

Dmitry.

BB> From your 1., your client cert is self-signed, not signed by your CA cert.
BB> Since this amounts to telling the server "I am Dmitry, because I said so",
BB> it's a security-risk to accept self-signed client certs, so most HTTPS
BB> servers won't accept them.  (Of course, it is also the same security-risk to
BB> accept self-signed server-certs.  However, there is a big difference between
BB> clicking Ok in the browser's dialog box, and paging the webmaster at 3AM to
BB> agree to accept it ;-).

BB> The easiest thing would be to get a Thawte client-cert (since you don't have
BB> to pay for it), and use that instead of your self-signed one.  For testing,
BB> that is what I do (except that I use my Verisign cert, since my employer
BB> pays for that one :).  At least with Sun's JSSE, Thawte's Root cert is
BB> installed in cacerts by default.  Setting up your own CA is only needed if
BB> you have to hand out your own client-certs when you move to production.

BB> "Dmitry S.Rogulin" <[EMAIL PROTECTED]> wrote in message
BB> news:[EMAIL PROTECTED]
>>
>> But (as I pointed out in 3.,4. and 6) I have client cert and CA cert.
>> The latter I imported to the cacert.
>> I tried to do the same without Tomact but with very simple HTTP(s)
>> server and got the same result. So I suggest that I did something
>> wrong with creating/importing certs.
>>
>> But what's wrong?
>>
>> BB> You can't generally use a self-signed client cert with JSSE (you can
>> BB> configure PureTLS to accept it, but another bug means that you'd have
BB> to
>> BB> wait for 4.1.26).  The work-around is way too much trouble for the
BB> sysadmin,
>> BB> and I don't feel like being an enabler for a true hideous design.  So,
>> BB> you'll just have to read the JSSE docs for yourself ;-).
>>
>> BB> If you need to issue your own client-certs, I'd suggest setting up
BB> your own
>> BB> CA (with OpenSSL or otherwise), and import your CA's cert into
BB> cacerts.  You
>> BB> can then hand out client certs, and Tomcat will accept them.
>>
>> BB> "Dmitry S.Rogulin" wrote in message
>> BB> news:[EMAIL PROTECTED]
>> >> Hello all,
>> >>
>> >> Sorry for the previous e-mail. %)
>> >>
>> >> This theme was discussed about month ago. I tried to use what I've
>> >> found but I'm still having a problem...
>> >>
>> >> I'm trying to do SSL client authentication with Tomcat 4.1.18
>> BB> (clientAuth="true").
>> >>
>> >> 1. I've generated a client certificate using keytool:
>> >>   keytool -genkey -alias tomcat-cl -keyalg RSA -keystore
BB> client.keystore
>> >>
>> >> 2. Then I created Certificate Signing Request:
>> >>   keytool -certreq -keyalg RSA -alias tomcat-cl -file
>> BB> certreq.csr -keystore client.keystore
>> >>
>> >> 3. I sent it to CA and got a signed certificate and CA Certificate.
>> >> 4. I imported them to the client keystore:
>> >>   keytool -import -alias root -keystore client.keystore -file cacert
>> >>   keytool -import -alias tomcat-cl -keystore client.keystore -file
>> BB> usercert
>> >>
>> >> 5. I exported server certificate and imported it as a trusted to the
>> >> trusted keystore:
>> >>   keytool -import -trustcacerts -alias tomcat -file
BB> server.cer -keystore
>> BB> trust.keystore
>> >>
>> >> 6. I imported CA Certificate to "\jre\lib\security\cacerts" :
>> >>   keytool -import -file cacert -keystore
>> BB> %java_home%\jre\lib\security\cacerts -storepass changeit
>> >>
>> >>   I'm running Tomcat and test client on the same machine.
>> >>   Server keystore: %USERHOME%\.keystore
>> >>   Client keystore: %USERHOME%\client.keystore
>> >>   Client trusted keystore: %USERHOME%\trust.keysto

Re: Tomcat 4 + ssl + client authentication

2003-10-09 Thread Bill Barker 

"Kenneth Westelinck" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi all,
>
> I've been searching the internet for 2 days now and still haven't found a
> solution for my problem. I am trying to set up a Tomcat 4 server running
in
> HTTPS mode, contacted by a client written in Java. The client is using
> HTTPClient from apache. I have done everything the document at
> http://ws.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html describes.
> If I disable client authentication in the tomcat config, the client is
able
> to comunicate with the server. If I enable the authentication the client
> aborts with the following exception:
> java.net.SocketException: Software caused connection abort: JVM_recv in
> socket input stream read
> at java.net.SocketInputStream.socketRead0(Native Method)
> ...
>
> I enabled all possible debugging on the Tomcat server and this is part of
> what I found in the console:
> Thread-10, WRITE:  SSL v3.1 Handshake, length = 625
> Thread-10, READ:  SSL v3.1 Handshake, length = 141
> *** Certificate chain
> ***
> Thread-10, SEND SSL v3.1 ALERT:  fatal, description = bad_certificate
> Thread-10, WRITE:  SSL v3.1 Alert, length = 2
>
> The client's certificate cannot be bad. It was signed with the server's
key
> and it's in the server's keystore.
>

Client cert verification is done against the TrustStore, not the KeyStore.
Tomcat 5 has some improvements for this.  Tomcat 4 is still a bit limited.

> I have no idea what is goin wrong. Can someone tell me how to make this
> work?
>

Assuming that you don't want to just import the signing cert into cacerts
(see the JSSE docs for how to do this), then you need to have something
like:


CATALINA_OPTS="-Djavax.net.ssl.trustStore=/path/to/my/truststore -Djavax.net
.ssl.trustStorePassword=myTrustStorePassword"

At the moment, your TrustStore file has to be in the same format as your
KeyStore file (a nasty limitation that I haven't gotten around to fixing :).


> MTIA
>
> regards,
>
> Kenneth
>
> _
> Op zoek naar makkelijk recept? http://www.msn.be/culinair




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat 4 + ssl + client authentication

2003-10-09 Thread Kenneth Westelinck 
Client cert verification is done against the TrustStore, not the KeyStore.
Tomcat 5 has some improvements for this.  Tomcat 4 is still a bit limited.
> I have no idea what is goin wrong. Can someone tell me how to make this
> work?
>
Assuming that you don't want to just import the signing cert into cacerts
(see the JSSE docs for how to do this), then you need to have something
like:
CATALINA_OPTS="-Djavax.net.ssl.trustStore=/path/to/my/truststore 
-Djavax.net
.ssl.trustStorePassword=myTrustStorePassword"

At the moment, your TrustStore file has to be in the same format as your
KeyStore file (a nasty limitation that I haven't gotten around to fixing 
:).
Yep, done that. Yesterday after sending this mail I was able to get it to 
work authenticating using the imported client key in Mozilla and putting the 
signed client key in this truststore. So it is working now using Mozilla 
(nice).
So now I found out there is a keyStore property as well (stupid me), and I 
was able to authenticate using my Java client against the server (nice 
again). If someone is interested in the code, this is the client part (just 
for testing):

System.setProperty("javax.net.ssl.trustStore", "f:/client.keystore");
   System.setProperty("javax.net.ssl.keyStore", "f:/client.keystore");
   System.setProperty("javax.net.ssl.keyStorePassword","changeit");
HttpClient httpclient = new HttpClient();
Protocol myhttps =
new Protocol(
"https",
new StrictSSLProtocolSocketFactory(false),
8443);
httpclient.getHostConfiguration().setHost("myhost", 8443, myhttps);
GetMethod httpget = new GetMethod("/");
httpclient.executeMethod(httpget);
with StrictSSLProtocolSocketFactory the same code as the sample code you can 
download from the Apache/HTTPClient site. One question though ... suppose 
the client keyStore has different keys, how can one tell to the code to use 
key A or key B (for the moment there's only one key in this keyStore). Using 
mozilla it is simple, he just asks which key to use.

Thank you for your help.

regards,

Kenneth

_
Mis onze Back To School special niet! http://www.msn.be/backtoschool
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

ssl client authentication drives me crazy

2003-10-14 Thread Twan Munster 
Hello,

With apache client authentication was so simple. Now my boss wants to use it for 
smartcard login and I have to use tomcat with cocoon. Thats why I need the client 
authentication with ssl to work. But I just can't fix it can anyone please help me. 
All examples wont work I always get errors like  Unsupported SSL v2.0 ClientHello,  no 
cipher suites in common and handshake error

Can somebody please tell me how to use keytool. I've got the following certificates 
and I use them in apache like this:

1 server.crt = server certificate
2 ca.crt = chain certificate
3 ca-bundle.crt = lots of certificates for client authentication
4 server.key = i really don't know how to get this one in keytool

Thnx

Twan Munster

solution problems with ssl client authentication

2003-10-15 Thread Twan Munster 
Hello,

Here's the solution for some major problems, which i expirienced getting client 
authentication to work. I'll post it to help people save time. It cost me more than a 
week to get it working and the solution is so simple it can be done in less than half 
an hour.

Problem 1 getting excisting certificates in keystore
If you already have a ca,client and server certificate this is what to do:

openssl pkcs12 -export -in servercert.crt -inkey mykey.key 
-out servercert.p12 -name tomcat -CAfile myCA.crt 
-caname root -chain

this is the only command that works, trust me i've tried a lot to ;-)

than set in server.xml in ssl connector keystoreType =PKCS12

Problem 2 certificate is not trusted

on the net all sorts of solutions are given, but this is the only one I got working.
The only solution is adding manually with a program like keytool or keyman the CA 
certificate of the client to 
JAVA_HOME\jre\lib\security\cacerts

creating truststore, adding 
CATALINA_OPTS="-Djavax.net.ssl.trustStore=PATH_TO_TRUSTSTORE
-Djavax.net.ssl.trustStorePassword=PASSWORD_FROM_TRUSTSTORE"
didn't work for me

Hope it helps a lot of people,

Twan

Re: 2 way SSL ( client authentication)

2003-12-29 Thread Bill Barker 
The ssl-howto has instructions for generating a self-signed Server-cert.
You can't use a self-signed client-cert (Ok, I'm lying, but it's for your
own good:  You can with PureTLS, but for your own good, I'm going to make
you look it up yourself :).  The client-cert needs to be signed by someone
in your TrustStore.

"Amjad Shahrour" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi all,
>
>
>
> I am trying to implement 2 way SSL ( client authentication) on tomcat 4.
>
>
>
>  I am following all steps.
>
> But still have something missing.  ( all documentations descrips how to
> deal with certificates that are varified by CA).
>
>
>
> I need to know how to generate a normal self-signed certificate and how
> to use it in a proper way.
>
>
>
> Thnx.
>
>
>
>
>
>
>
> Amjad Shahrour
>
> Application Developer
>
> Tel: +966.2.653.3334 ext 213
>
> [EMAIL PROTECTED]
>
> www.labbaik.com
>
>
>
>
>
>
>
>
>
>




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SSL client authentication with Tomcat

2000-11-06 Thread Antonio Sanchez 

Hi,
when you say this feature is not supported in Tomcat 3.x, do you also mean
that it is not available either for Apache+Tomcat 3.1?
Thanks in advance


This feature is not supported in Tomcat 3.x presently, although it is
available in Tomcat 4.0 (pre-alpha nightly builds currently available).

Craig McClanahan
> Hi to all!
> Does anybody know whether there is the possibility to access the SSL
> client certificate variables from a servlet running in Tomcat?.
> Thanks to all of you!

RE: SSL client authentication with Tomcat

2000-11-06 Thread Stefán F. Stefánsson 

Sorry to butt in but you know that this IS supported if you're using the
internal tomcat 3.2b6 webserver...

You can access the client certificate if the connection comes through
the HTTP server of Tomcat.  Then you can use the
request.getAttribute("javax.servlet.blablabla") just as described in the
servlet docs (of course you only get access to the X509 information...
not the private key itself).

Of course you may not have the ability to run Tomcat as your HTTP server
but I hope this helps you a little (maybe you can continue developing on
Tomcat standalone while waiting for the support in Tomcat + Apache).

Kind regards, Stefan Freyr.

-Original Message-
From: Antonio Sanchez [mailto:[EMAIL PROTECTED]]
Sent: 6. nóvember 2000 18:29
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: SSL client authentication with Tomcat


Hi,
when you say this feature is not supported in Tomcat 3.x, do you also
mean
that it is not available either for Apache+Tomcat 3.1?
Thanks in advance


This feature is not supported in Tomcat 3.x presently, although it is
available in Tomcat 4.0 (pre-alpha nightly builds currently available).

Craig McClanahan
> Hi to all!
> Does anybody know whether there is the possibility to access the SSL
> client certificate variables from a servlet running in Tomcat?.
> Thanks to all of you!

Re: SSL Client authentication with standalone Tomcat

2002-02-26 Thread Wolfgang Stein 

As far as i understand the client-auth handshake,
the server sends a list of trusted CAs to the client.

This list is take from
\lib\security\cacerts
So you have to import your CA-cert into that file,
instead of your .keystore .
There is no need to import the client cert into cacerts or keystore.

The client browser scans his (previously imported) client certs 
for a matching cert isssuer/signer and sends (?) this to the server.

You will face a difference in comparism of the ca certs between
nestcape / MS IE. 



Gruß,
Wolfgang
 

> -Ursprüngliche Nachricht-
> Von: Brian Palmer [mailto:[EMAIL PROTECTED]]
> Gesendet: Dienstag, 26. Februar 2002 11:58
> An: [EMAIL PROTECTED]
> Betreff: SSL Client authentication with standalone Tomcat
> 
> 
> I'm trying to set up for a simple project client-authentication and CA
> abilities, using standalone tomcat and openssl. I'm not having
> luck. The short version is, when I enable clientAuth, I am unable to
> connect to the server, getting various messages (in Mozilla 0.9.8, I
> get no error messages but the page will not load, using openssl
> s_client I get a write error). 
> 
> Forgive me in advance for this long message, but my hope is that by
> explicitly stating what I'm doing, it will be easy for someone more
> experienced to see where I'm going wrong. I've spent much of the last
> 2 days searching online for information and trying different
> approaches; most of the problems/solutions don't give a lot of details
> 
> I've done the following:
> 
> Step 1: Generate the tomcat request for certificate
> keytool -genkey -alias tomcat -keyalg RSA
> 
> keytool -certreq -alias tomcat -file my.csr
> 
> Step 2: Generate the ca certificate
> openssl req -new -newkey rsa:512 -nodes -out ca.req \
> -keyout ca.key
> 
> openssl x509 -trustout -signkey ca.key -days 365  \
>  -req -in ca.req -out ca.crt
> 
> Step 3: Sign the tomcat request to generate tomcat certificate 
> openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \
>  -out my.crt -req -CAcreateserial
> 
> Step 4: Import both into my keystore
> keytool -import -file ca.crt -alias RootCert
> 
> keytool -import -file my.crt -alias tomcat
> 
> I can then stop and restart tomcat, and non-client-authenticated https
> works. I then go on to
> 
> Step 5: Generate a client certificate
> openssl req -new -newkey rsa:512 -nodes \
> -out client.req -keyout client.key
> 
> openssl x509 -CA ca.crt -CAkey ca.key \
>  -req -in client.req \
>   -out client.crt
> 
> I then enable clientAuth="true", and try to connect to tomcat using
> the openssl s_client:
> openssl s_client -cert client.crt -key client.key \
>  -connect localhost:8443
> and get the following output:
> CONNECTED(0003)
> depth=1 /C=US/ST=California/L=Stanford/O=Stanford 
> University/OU=CSD/CN=UStorit [EMAIL PROTECTED]
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> write:errno=104
> 
> Any ideas? Or ideas on how to debug this? (I'm coming up against a
> deadline, so any hints much appreciated)
> 
> -- 
> Brian Palmer
> "Whoever fights monsters should see to it that in the process he does
> not become a monster. And when you look long into an abyss, the abyss
> also looks into you"  - Nietzsche
> 
> 
> --
> To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>

--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

RE: SSL Client authentication with standalone Tomcat

2002-02-26 Thread Anton Brazhnyk 

Hi,

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Palmer
> Sent: Tuesday, February 26, 2002 12:58 PM
> To: [EMAIL PROTECTED]
> Subject: SSL Client authentication with standalone Tomcat
> 
> 
> I'm trying to set up for a simple project client-authentication and CA
> abilities, using standalone tomcat and openssl. I'm not having
> luck. The short version is, when I enable clientAuth, I am unable to
> connect to the server, getting various messages (in Mozilla 0.9.8, I
> get no error messages but the page will not load, using openssl
> s_client I get a write error). 
> 
> Forgive me in advance for this long message, but my hope is that by
> explicitly stating what I'm doing, it will be easy for someone more
> experienced to see where I'm going wrong. I've spent much of the last
> 2 days searching online for information and trying different
> approaches; most of the problems/solutions don't give a lot of details
> 
> I've done the following:
> 
> Step 1: Generate the tomcat request for certificate
> keytool -genkey -alias tomcat -keyalg RSA
> 
> keytool -certreq -alias tomcat -file my.csr
> 
> Step 2: Generate the ca certificate
> openssl req -new -newkey rsa:512 -nodes -out ca.req \
> -keyout ca.key
> 
> openssl x509 -trustout -signkey ca.key -days 365  \
>  -req -in ca.req -out ca.crt
> 
> Step 3: Sign the tomcat request to generate tomcat certificate 
> openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \
>  -out my.crt -req -CAcreateserial
> 
> Step 4: Import both into my keystore
> keytool -import -file ca.crt -alias RootCert
> 
> keytool -import -file my.crt -alias tomcat
> 

I'm not sure its necessary, but I'd import last certificate with 
following command:

keytool -import -trustcacerts -file my.crt -alias tomcat

> I can then stop and restart tomcat, and non-client-authenticated https
> works. I then go on to
> 
> Step 5: Generate a client certificate
> openssl req -new -newkey rsa:512 -nodes \
> -out client.req -keyout client.key
> 
> openssl x509 -CA ca.crt -CAkey ca.key \
>  -req -in client.req \
>   -out client.crt
> 
> I then enable clientAuth="true", and try to connect to tomcat using
> the openssl s_client:
> openssl s_client -cert client.crt -key client.key \
>  -connect localhost:8443
> and get the following output:
> CONNECTED(0003)
> depth=1 /C=US/ST=California/L=Stanford/O=Stanford 
> University/OU=CSD/CN=UStorit [EMAIL PROTECTED]
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> write:errno=104
> 
> Any ideas? Or ideas on how to debug this? (I'm coming up against a
> deadline, so any hints much appreciated)
> 

And I bet client certificate should be signed in specific way.
Some guys mentioned that you can find some help at openSSL
site.

> -- 
> Brian Palmer
> "Whoever fights monsters should see to it that in the process he does
> not become a monster. And when you look long into an abyss, the abyss
> also looks into you"  - Nietzsche
> 
> 

Anton

--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Re: SSL Client authentication with standalone Tomcat

2002-02-26 Thread Wolfgang Stein 

Imagine an online banking system with some thousand clients

I can't believe that you have to import each
client cert into the keystore file.

If you start tomcat with the -Djavax.net.debug=all option
you should be able to verify that tomcat initially sends a list 
of trusted CAs taken from the cacert file. 
This file should contain one CA (or more) that signed 
a client certificat signing request (or groups of them).

But Anton Brazhnyk's suggestion could be an alternative way.
If anybody succeeded in establishing the ssl client cert handhake
after importing client certs into the keystore file only,
please let us know.


Gruß,
Wolfgang
 

Anton Brazhnyk wrote
> 
> I'm not sure its necessary, but I'd import last certificate with 
> following command:
> 
>   keytool -import -trustcacerts -file my.crt -alias tomcat
> 


Wolfgang Stein wrote:
> 
> As far as i understand the client-auth handshake,
> the server sends a list of trusted CAs to the client.
>
> This list is taken from
> \lib\security\cacerts
> So you have to import your CA-cert into that file,
> instead of your .keystore .
> There is no need to import the client cert into cacerts or keystore.
> 

--
To unsubscribe:   
For additional commands: 
Troubles with the list:

RE: SSL Client authentication with standalone Tomcat

2002-02-26 Thread Anton Brazhnyk 

Hi Wolfgang,

> -Original Message-
> From: Wolfgang Stein [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 26, 2002 3:19 PM
> To: [EMAIL PROTECTED]
> Subject: Re: SSL Client authentication with standalone Tomcat
> 
> 
> Imagine an online banking system with some thousand clients
> 
> I can't believe that you have to import each
> client cert into the keystore file.
> 
> If you start tomcat with the -Djavax.net.debug=all option
> you should be able to verify that tomcat initially sends a list 
> of trusted CAs taken from the cacert file. 
> This file should contain one CA (or more) that signed 
> a client certificat signing request (or groups of them).
> 
> But Anton Brazhnyk's suggestion could be an alternative way.
> If anybody succeeded in establishing the ssl client cert handhake
> after importing client certs into the keystore file only,
> please let us know.
> 

Actually I meant importaing server certificate, since there wasn't
"-trustcacerts" in statement with "-alias tomcat".

And, well, I'm not sure again... :)
Client cert should be signed with sertificate of the server
(not just with CA certificate)

> 
> Gru?,
> Wolfgang
>  
> 
> Anton Brazhnyk wrote
> > 
> > I'm not sure its necessary, but I'd import last certificate with 
> > following command:
> > 
> > keytool -import -trustcacerts -file my.crt -alias tomcat
> > 
> 
> 
> Wolfgang Stein wrote:
> > 
> > As far as i understand the client-auth handshake,
> > the server sends a list of trusted CAs to the client.
> >
> > This list is taken from
> > \lib\security\cacerts
> > So you have to import your CA-cert into that file,
> > instead of your .keystore .
> > There is no need to import the client cert into cacerts or keystore.
> > 
> 

Anton

--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Reposting: SSL Client authentication with standalone Tomcat

2002-02-26 Thread Wolfgang Stein 

I repost this because it didn't show up on the list but
a subsequent posting already did:

> The client browser scans his (previously imported) client certs
> for a matching cert isssuer/signer and sends (?) this to the server.

This part should read:
The client browser scans his (previously imported) client certs
for a matching cert issuer/signer, fills / pops up a choice dialog
box to select a client cert from, 
and sends (?) the users selection back to the server.

This choice box was usually empty in MS IE. Read my previous
posting "Any success with Tomcat 4.0.2 and client
certificates in MS IE ?"


Wolfgang Stein wrote:
> 
> As far as i understand the client-auth handshake,
> the server sends a list of trusted CAs to the client.
> 
> This list is take from
> \lib\security\cacerts
> So you have to import your CA-cert into that file,
> instead of your .keystore .
> There is no need to import the client cert into cacerts or keystore.
> 
> The client browser scans his (previously imported) client certs
> for a matching cert isssuer/signer and sends (?) this to the server.
> 
> You will face a difference in comparism of the ca certs between
> nestcape / MS IE.
> 
> Gruß,
> Wolfgang
> 
> 
> > -Ursprüngliche Nachricht-
> > Von: Brian Palmer [mailto:[EMAIL PROTECTED]]
> > Gesendet: Dienstag, 26. Februar 2002 11:58
> > An: [EMAIL PROTECTED]
> > Betreff: SSL Client authentication with standalone Tomcat
> >
> >
> > I'm trying to set up for a simple project client-authentication and CA
> > abilities, using standalone tomcat and openssl. I'm not having
> > luck. The short version is, when I enable clientAuth, I am unable to
> > connect to the server, getting various messages (in Mozilla 0.9.8, I
> > get no error messages but the page will not load, using openssl
> > s_client I get a write error).
> >
> > Forgive me in advance for this long message, but my hope is that by
> > explicitly stating what I'm doing, it will be easy for someone more
> > experienced to see where I'm going wrong. I've spent much of the last
> > 2 days searching online for information and trying different
> > approaches; most of the problems/solutions don't give a lot of details
> >
> > I've done the following:
> >
> > Step 1: Generate the tomcat request for certificate
> > keytool -genkey -alias tomcat -keyalg RSA
> >
> > keytool -certreq -alias tomcat -file my.csr
> >
> > Step 2: Generate the ca certificate
> > openssl req -new -newkey rsa:512 -nodes -out ca.req \
> > -keyout ca.key
> >
> > openssl x509 -trustout -signkey ca.key -days 365  \
> >  -req -in ca.req -out ca.crt
> >
> > Step 3: Sign the tomcat request to generate tomcat certificate
> > openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \
> >  -out my.crt -req -CAcreateserial
> >
> > Step 4: Import both into my keystore
> > keytool -import -file ca.crt -alias RootCert
> >
> > keytool -import -file my.crt -alias tomcat
> >
> > I can then stop and restart tomcat, and non-client-authenticated https
> > works. I then go on to
> >
> > Step 5: Generate a client certificate
> > openssl req -new -newkey rsa:512 -nodes \
> > -out client.req -keyout client.key
> >
> > openssl x509 -CA ca.crt -CAkey ca.key \
> >  -req -in client.req \
> >   -out client.crt
> >
> > I then enable clientAuth="true", and try to connect to tomcat using
> > the openssl s_client:
> > openssl s_client -cert client.crt -key client.key \
> >  -connect localhost:8443
> > and get the following output:
> > CONNECTED(0003)
> > depth=1 /C=US/ST=California/L=Stanford/O=Stanford
> > University/OU=CSD/CN=UStorit [EMAIL PROTECTED]
> > verify error:num=19:self signed certificate in certificate chain
> > verify return:0
> > write:errno=104
> >
> > Any ideas? Or ideas on how to debug this? (I'm coming up against a
> > deadline, so any hints much appreciated)
> >
> > --
> > Brian Palmer
> > "Whoever fights monsters should see to it that in the process he does
> > not become a monster. And when you look long into an abyss, the abyss
> > also looks into you"  - Nietzsche
> >
> >
> > --
> > To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> > For additional commands: <mailto:[EMAIL PROTECTED]>
> > Troubles with the list: <mailto:[EMAIL PROTECTED]>
> >

--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Re: SSL Client authentication with standalone Tomcat

2002-02-26 Thread Wolfgang Stein 

> The client browser scans his (previously imported) client certs
> for a matching cert isssuer/signer and sends (?) this to the server.

This part should read:
The client browser scans his (previously imported) client certs
for a matching cert issuer/signer, fills / pops up a choice dialog
box to select a client cert from, 
and sends (?) the users selection back to the server.

This choice box was usually empty in MS IE. Read my previous
posting "Any success with Tomcat 4.0.2 and client
certificates in MS IE ?"


Wolfgang Stein wrote:
> 
> As far as i understand the client-auth handshake,
> the server sends a list of trusted CAs to the client.
> 
> This list is take from
> \lib\security\cacerts
> So you have to import your CA-cert into that file,
> instead of your .keystore .
> There is no need to import the client cert into cacerts or keystore.
> 
> The client browser scans his (previously imported) client certs
> for a matching cert isssuer/signer and sends (?) this to the server.
> 
> You will face a difference in comparism of the ca certs between
> nestcape / MS IE.
> 
> Gruß,
> Wolfgang
> 
> 
> > -Ursprüngliche Nachricht-
> > Von: Brian Palmer [mailto:[EMAIL PROTECTED]]
> > Gesendet: Dienstag, 26. Februar 2002 11:58
> > An: [EMAIL PROTECTED]
> > Betreff: SSL Client authentication with standalone Tomcat
> >
> >
> > I'm trying to set up for a simple project client-authentication and CA
> > abilities, using standalone tomcat and openssl. I'm not having
> > luck. The short version is, when I enable clientAuth, I am unable to
> > connect to the server, getting various messages (in Mozilla 0.9.8, I
> > get no error messages but the page will not load, using openssl
> > s_client I get a write error).
> >
> > Forgive me in advance for this long message, but my hope is that by
> > explicitly stating what I'm doing, it will be easy for someone more
> > experienced to see where I'm going wrong. I've spent much of the last
> > 2 days searching online for information and trying different
> > approaches; most of the problems/solutions don't give a lot of details
> >
> > I've done the following:
> >
> > Step 1: Generate the tomcat request for certificate
> > keytool -genkey -alias tomcat -keyalg RSA
> >
> > keytool -certreq -alias tomcat -file my.csr
> >
> > Step 2: Generate the ca certificate
> > openssl req -new -newkey rsa:512 -nodes -out ca.req \
> > -keyout ca.key
> >
> > openssl x509 -trustout -signkey ca.key -days 365  \
> >  -req -in ca.req -out ca.crt
> >
> > Step 3: Sign the tomcat request to generate tomcat certificate
> > openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \
> >  -out my.crt -req -CAcreateserial
> >
> > Step 4: Import both into my keystore
> > keytool -import -file ca.crt -alias RootCert
> >
> > keytool -import -file my.crt -alias tomcat
> >
> > I can then stop and restart tomcat, and non-client-authenticated https
> > works. I then go on to
> >
> > Step 5: Generate a client certificate
> > openssl req -new -newkey rsa:512 -nodes \
> > -out client.req -keyout client.key
> >
> > openssl x509 -CA ca.crt -CAkey ca.key \
> >  -req -in client.req \
> >   -out client.crt
> >
> > I then enable clientAuth="true", and try to connect to tomcat using
> > the openssl s_client:
> > openssl s_client -cert client.crt -key client.key \
> >  -connect localhost:8443
> > and get the following output:
> > CONNECTED(0003)
> > depth=1 /C=US/ST=California/L=Stanford/O=Stanford
> > University/OU=CSD/CN=UStorit [EMAIL PROTECTED]
> > verify error:num=19:self signed certificate in certificate chain
> > verify return:0
> > write:errno=104
> >
> > Any ideas? Or ideas on how to debug this? (I'm coming up against a
> > deadline, so any hints much appreciated)
> >
> > --
> > Brian Palmer
> > "Whoever fights monsters should see to it that in the process he does
> > not become a monster. And when you look long into an abyss, the abyss
> > also looks into you"  - Nietzsche
> >
> >
> > --
> > To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> > For additional commands: <mailto:[EMAIL PROTECTED]>
> > Troubles with the list: <mailto:[EMAIL PROTECTED]>
> >

--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Re: SSL Client authentication with standalone Tomcat

2002-03-02 Thread Brian Palmer 

Wolfgang Stein <[EMAIL PROTECTED]> writes:

> As far as i understand the client-auth handshake,
> the server sends a list of trusted CAs to the client.
> 
> This list is take from
> \lib\security\cacerts
> So you have to import your CA-cert into that file,
> instead of your .keystore .
> There is no need to import the client cert into cacerts or keystore.

First, sorry for not responding earlier to this thread. My laptop died
and stopped my forward momentum for a few days.

This solved my problem; I had thought I needed to do something like
that, but hadn't known how, exactly. Thanks a lot!

-- 
Brian Palmer
"Whoever fights monsters should see to it that in the process he does
not become a monster. And when you look long into an abyss, the abyss
also looks into you"  - Nietzsche


--
To unsubscribe:   
For additional commands: 
Troubles with the list:

SSL client authentication + LDAP realm / Tomcat 4.1.18

2003-03-11 Thread Philippe Maseres 
Hello.

I try to set up the following features :
- Client authentication using client SSL certificates
- Client authorization using the JNDI realm, against an iPlanet LDAP
directory

I first tested a simpler configuration using the LDAP realm with BASIC
authentication, and it works fine. The realm configuration, set up in the
server.xml application context is :



ldap://localhost:389";
roleBase="ou=Roles,ou=TomcatRealm,dc=moon.net"
roleName="cn"
roleSearch="(uniqueMember={0})"
roleSubtree="false"
userBase="ou=Users,ou=TomcatRealm,dc=moon.net"
userSearch="(cn={0})"
/>


According to this configuration, when a user tries to access a secured URL
and provides its BASIC login and password, the realm correctly checks the
credentials against the directory, binding with the DN using the userBase
and userSearch parameters.

On the other hand, i tried another configuration, using SSL client
authentication and the default realm, adding a user entry in the
tomcat-users.xml file with the complete DN as username :
"cn=SomeBody,ou=Users,ou=TomcatRealm,dc=moon.net". As expected, the
certificate is successfully verified in the trust cacerts store, and the
default realm correctly matches the user with the issuer DN extracted from
the client certificate.

In this last case, i assumed the DN provided by the client certificate is
the exact expression used by the realm to match the users identity.

Now, i don't understand how it should be possible to configure both the JNDI
realm and the SSL connector to indicate how the client certificates DN must
be used to check the user identity in the LDAP directory. It seems obvious
that using the full DN from the client certificate as a single user
identifier (cn, uid, etc.) fails, since the search filter doesn't match.
Should it be sensible to use the key alias from the trust keystore as the
directory identifier value ? Perhaps i don't go the right way !...

Thanks for your help.

Philippe Maseres


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: SSL client authentication with tomcat 4.1.24

2003-06-06 Thread Bodycombe, Andrew 
You need to import your personal certificate into your browser.

In IE:
Select 'Internet Options' from the Tools Menu
Select the Content tab
Press the certificates button

This takes you to the screen showing all your certificates
Select the 'Personal' tab
Press Import to import your certificate

Andy

-Original Message-
From: Duma Rolando [mailto:[EMAIL PROTECTED] 
Sent: 06 June 2003 11:31
To: Tomcat Mailing List
Subject: SSL client authentication with tomcat 4.1.24


Is there anyone that have a running tomcat 4.1.24 standalone server with SSL
and clientAuth="true"?
My current config doesn't work ( i.e. Internet Explorer doesn't display my
personal certificate, Mozilla displays an error message ).I tried with only
one SSL connector on port 443 and with also an http connector on port 80
without success.I would like to know if I'm wasting time or there are
"success stories" about this in this community.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SSL client authentication with tomcat 4.1.24

2003-06-06 Thread Duma Rolando 
I have already imported my certificate.This is correctly showed if I connect
to an apache + mod-ssl server with "SSLVerifyClient require" directive, so I
think the problem belongs to Tomcat SSL implementation or its configuration.
That's why I'm looking for people with positive experience on this kind of
setup.


- Original Message -
From: "Bodycombe, Andrew" <[EMAIL PROTECTED]>
To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
Sent: Friday, June 06, 2003 12:58 PM
Subject: RE: SSL client authentication with tomcat 4.1.24


> You need to import your personal certificate into your browser.
>
> In IE:
> Select 'Internet Options' from the Tools Menu
> Select the Content tab
> Press the certificates button
>
> This takes you to the screen showing all your certificates
> Select the 'Personal' tab
> Press Import to import your certificate
>
> Andy
>
> -Original Message-----
> From: Duma Rolando [mailto:[EMAIL PROTECTED]
> Sent: 06 June 2003 11:31
> To: Tomcat Mailing List
> Subject: SSL client authentication with tomcat 4.1.24
>
>
> Is there anyone that have a running tomcat 4.1.24 standalone server with
SSL
> and clientAuth="true"?
> My current config doesn't work ( i.e. Internet Explorer doesn't display my
> personal certificate, Mozilla displays an error message ).I tried with
only
> one SSL connector on port 443 and with also an http connector on port 80
> without success.I would like to know if I'm wasting time or there are
> "success stories" about this in this community.
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SSL client authentication with tomcat 4.1.24

2003-06-06 Thread Mario Ivankovits 
For me, it looks like some certificates cant be read by tomcat/ssl.

So, my Thawte FreeMail Member certificate works, but the certificate
generated by SuSE OpenExchange wont work.

I havent figured out what the difference could be for now.

Mario

- Original Message - 
From: "Duma Rolando" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Friday, June 06, 2003 1:40 PM
Subject: Re: SSL client authentication with tomcat 4.1.24


> I have already imported my certificate.This is correctly showed if I
connect
> to an apache + mod-ssl server with "SSLVerifyClient require" directive, so
I
> think the problem belongs to Tomcat SSL implementation or its
configuration.
> That's why I'm looking for people with positive experience on this kind of
> setup.
>
>
> - Original Message -
> From: "Bodycombe, Andrew" <[EMAIL PROTECTED]>
> To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
> Sent: Friday, June 06, 2003 12:58 PM
> Subject: RE: SSL client authentication with tomcat 4.1.24
>
>
> > You need to import your personal certificate into your browser.
> >
> > In IE:
> > Select 'Internet Options' from the Tools Menu
> > Select the Content tab
> > Press the certificates button
> >
> > This takes you to the screen showing all your certificates
> > Select the 'Personal' tab
> > Press Import to import your certificate
> >
> > Andy
> >
> > -Original Message-
> > From: Duma Rolando [mailto:[EMAIL PROTECTED]
> > Sent: 06 June 2003 11:31
> > To: Tomcat Mailing List
> > Subject: SSL client authentication with tomcat 4.1.24
> >
> >
> > Is there anyone that have a running tomcat 4.1.24 standalone server with
> SSL
> > and clientAuth="true"?
> > My current config doesn't work ( i.e. Internet Explorer doesn't display
my
> > personal certificate, Mozilla displays an error message ).I tried with
> only
> > one SSL connector on port 443 and with also an http connector on port 80
> > without success.I would like to know if I'm wasting time or there are
> > "success stories" about this in this community.
> >
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: SSL client authentication with IE 6.0

2003-06-06 Thread Lin, Zhongwu 
Duma,

>>the list of certificates is empty!
This means that you don't have client certificate in your client machine. 

-Original Message-
From: Duma Rolando [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 05, 2003 9:31 AM
To: Tomcat Mailing List
Subject: SSL client authentication with IE 6.0


I'm running Tomcat 4.1.24 standalone with SSL client authentication
enabled.Internet Explorer 6.0 when I try to access the server pops up a
window that ask me which certificate will be used for client authentication,
but the list of certificates is empty!





I've tested my browser on apache with mod_ssl and client authentication, and
IE pops up the same window but in this case my personal certificate is
present.
This is the only tomcat connector configured on my PC.


  

Thanks for your help.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SSL client authentication with tomcat 4.1.24

2003-06-06 Thread Bill Barker 
I believe that the Sun 1.4 JVM ships with the certs for Verisign and Thawte
(to verify this, search the java.sun.com site).  To allow OpenExchange
signed certs, you need to get the signing cert (not hard), and import it
into cacerts.

"Mario Ivankovits" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> For me, it looks like some certificates cant be read by tomcat/ssl.
>
> So, my Thawte FreeMail Member certificate works, but the certificate
> generated by SuSE OpenExchange wont work.
>
> I havent figured out what the difference could be for now.
>
> Mario
>
> - Original Message -
> From: "Duma Rolando" <[EMAIL PROTECTED]>
> To: "Tomcat Users List" <[EMAIL PROTECTED]>
> Sent: Friday, June 06, 2003 1:40 PM
> Subject: Re: SSL client authentication with tomcat 4.1.24
>
>
> > I have already imported my certificate.This is correctly showed if I
> connect
> > to an apache + mod-ssl server with "SSLVerifyClient require" directive,
so
> I
> > think the problem belongs to Tomcat SSL implementation or its
> configuration.
> > That's why I'm looking for people with positive experience on this kind
of
> > setup.
> >
> >
> > - Original Message -----
> > From: "Bodycombe, Andrew" <[EMAIL PROTECTED]>
> > To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
> > Sent: Friday, June 06, 2003 12:58 PM
> > Subject: RE: SSL client authentication with tomcat 4.1.24
> >
> >
> > > You need to import your personal certificate into your browser.
> > >
> > > In IE:
> > > Select 'Internet Options' from the Tools Menu
> > > Select the Content tab
> > > Press the certificates button
> > >
> > > This takes you to the screen showing all your certificates
> > > Select the 'Personal' tab
> > > Press Import to import your certificate
> > >
> > > Andy
> > >
> > > -Original Message-
> > > From: Duma Rolando [mailto:[EMAIL PROTECTED]
> > > Sent: 06 June 2003 11:31
> > > To: Tomcat Mailing List
> > > Subject: SSL client authentication with tomcat 4.1.24
> > >
> > >
> > > Is there anyone that have a running tomcat 4.1.24 standalone server
with
> > SSL
> > > and clientAuth="true"?
> > > My current config doesn't work ( i.e. Internet Explorer doesn't
display
> my
> > > personal certificate, Mozilla displays an error message ).I tried with
> > only
> > > one SSL connector on port 443 and with also an http connector on port
80
> > > without success.I would like to know if I'm wasting time or there are
> > > "success stories" about this in this community.
> > >
> > >
> > > -
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> > > -
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SSL client authentication with tomcat 4.1.24

2003-06-09 Thread Mario Ivankovits 
It works!

Thank you 

- Original Message - 
From: "Bill Barker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, June 07, 2003 5:33 AM
Subject: Re: SSL client authentication with tomcat 4.1.24


> I believe that the Sun 1.4 JVM ships with the certs for Verisign and
Thawte
> (to verify this, search the java.sun.com site).  To allow OpenExchange
> signed certs, you need to get the signing cert (not hard), and import it
> into cacerts.
>
> "Mario Ivankovits" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
> > For me, it looks like some certificates cant be read by tomcat/ssl.
> >
> > So, my Thawte FreeMail Member certificate works, but the certificate
> > generated by SuSE OpenExchange wont work.
> >
> > I havent figured out what the difference could be for now.
> >
> > Mario
> >
> > - Original Message -
> > From: "Duma Rolando" <[EMAIL PROTECTED]>
> > To: "Tomcat Users List" <[EMAIL PROTECTED]>
> > Sent: Friday, June 06, 2003 1:40 PM
> > Subject: Re: SSL client authentication with tomcat 4.1.24
> >
> >
> > > I have already imported my certificate.This is correctly showed if I
> > connect
> > > to an apache + mod-ssl server with "SSLVerifyClient require"
directive,
> so
> > I
> > > think the problem belongs to Tomcat SSL implementation or its
> > configuration.
> > > That's why I'm looking for people with positive experience on this
kind
> of
> > > setup.
> > >
> > >
> > > - Original Message -
> > > From: "Bodycombe, Andrew" <[EMAIL PROTECTED]>
> > > To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
> > > Sent: Friday, June 06, 2003 12:58 PM
> > > Subject: RE: SSL client authentication with tomcat 4.1.24
> > >
> > >
> > > > You need to import your personal certificate into your browser.
> > > >
> > > > In IE:
> > > > Select 'Internet Options' from the Tools Menu
> > > > Select the Content tab
> > > > Press the certificates button
> > > >
> > > > This takes you to the screen showing all your certificates
> > > > Select the 'Personal' tab
> > > > Press Import to import your certificate
> > > >
> > > > Andy
> > > >
> > > > -Original Message-
> > > > From: Duma Rolando [mailto:[EMAIL PROTECTED]
> > > > Sent: 06 June 2003 11:31
> > > > To: Tomcat Mailing List
> > > > Subject: SSL client authentication with tomcat 4.1.24
> > > >
> > > >
> > > > Is there anyone that have a running tomcat 4.1.24 standalone server
> with
> > > SSL
> > > > and clientAuth="true"?
> > > > My current config doesn't work ( i.e. Internet Explorer doesn't
> display
> > my
> > > > personal certificate, Mozilla displays an error message ).I tried
with
> > > only
> > > > one SSL connector on port 443 and with also an http connector on
port
> 80
> > > > without success.I would like to know if I'm wasting time or there
are
> > > > "success stories" about this in this community.
> > > >
> > > >
> > >
> -
> > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > >
> > >
> -
> > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> > >
> > > -
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> > >
>
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SSL client authentication with tomcat 4.1.24

2003-06-10 Thread Duma Rolando 
I'm still having trouble with my setup.
These are my keystore entries:

Tipo keystore: jks
Provider keystore: SUN

Il keystore contiene 3 entry

scai, 10-giu-2003, keyEntry,
Impronta digitale certificato (MD5):
D5:FC:34:5E:12:03:CD:29:84:18:C9:4C:33:07:6C:5D
_dgripbmo, 10-giu-2003, trustedCertEntry,
Impronta digitale certificato (MD5):
F5:ED:E9:B2:D9:71:F9:B6:6F:E9:39:27:4D:0A:A4:F7
dumarolando, 10-giu-2003, trustedCertEntry,
Impronta digitale certificato (MD5):
E6:8D:22:29:5C:33:20:52:10:75:6A:8E:5D:03:4C:B3

The second item is the CA certificate that signs my personal certificate,
the last is my personal certificate present also in my IE Personal
certificates tab.If nothing is missing and the browser still pops up an
empty personal certificate list, maybe there is a problem with the
cryptographic providers or with the encription algorithms used?
As a note my personal certificate is stored on a Gemplus smartcard connected
with a USB reader all works fine if I connect to an Apache server with
mod_ssl.

- Original Message -
From: "Bill Barker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, June 07, 2003 5:33 AM
Subject: Re: SSL client authentication with tomcat 4.1.24


> I believe that the Sun 1.4 JVM ships with the certs for Verisign and
Thawte
> (to verify this, search the java.sun.com site).  To allow OpenExchange
> signed certs, you need to get the signing cert (not hard), and import it
> into cacerts.
>
> "Mario Ivankovits" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
> > For me, it looks like some certificates cant be read by tomcat/ssl.
> >
> > So, my Thawte FreeMail Member certificate works, but the certificate
> > generated by SuSE OpenExchange wont work.
> >
> > I havent figured out what the difference could be for now.
> >
> > Mario
> >
> > - Original Message -
> > From: "Duma Rolando" <[EMAIL PROTECTED]>
> > To: "Tomcat Users List" <[EMAIL PROTECTED]>
> > Sent: Friday, June 06, 2003 1:40 PM
> > Subject: Re: SSL client authentication with tomcat 4.1.24
> >
> >
> > > I have already imported my certificate.This is correctly showed if I
> > connect
> > > to an apache + mod-ssl server with "SSLVerifyClient require"
directive,
> so
> > I
> > > think the problem belongs to Tomcat SSL implementation or its
> > configuration.
> > > That's why I'm looking for people with positive experience on this
kind
> of
> > > setup.
> > >
> > >
> > > - Original Message -
> > > From: "Bodycombe, Andrew" <[EMAIL PROTECTED]>
> > > To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
> > > Sent: Friday, June 06, 2003 12:58 PM
> > > Subject: RE: SSL client authentication with tomcat 4.1.24
> > >
> > >
> > > > You need to import your personal certificate into your browser.
> > > >
> > > > In IE:
> > > > Select 'Internet Options' from the Tools Menu
> > > > Select the Content tab
> > > > Press the certificates button
> > > >
> > > > This takes you to the screen showing all your certificates
> > > > Select the 'Personal' tab
> > > > Press Import to import your certificate
> > > >
> > > > Andy
> > > >
> > > > -Original Message-
> > > > From: Duma Rolando [mailto:[EMAIL PROTECTED]
> > > > Sent: 06 June 2003 11:31
> > > > To: Tomcat Mailing List
> > > > Subject: SSL client authentication with tomcat 4.1.24
> > > >
> > > >
> > > > Is there anyone that have a running tomcat 4.1.24 standalone server
> with
> > > SSL
> > > > and clientAuth="true"?
> > > > My current config doesn't work ( i.e. Internet Explorer doesn't
> display
> > my
> > > > personal certificate, Mozilla displays an error message ).I tried
with
> > > only
> > > > one SSL connector on port 443 and with also an http connector on
port
> 80
> > > > without success.I would like to know if I'm wasting time or there
are
> > > > "success stories" about this in this community.
> > > >
> > > >
> > >
> -
> > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > >
> > >
> -
> > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> > >
> > > -
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> > >
>
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SSL client authentication with tomcat 4.1.24

2003-06-10 Thread Mario Ivankovits 
You have to import the root CA into the java cacerts keystore

Assuming a windows-java installation in "C:\j2sdk" the location is:
C:\j2sdk\jre\lib\security\cacerts

using

> cd C:\j2sdk\jre\lib\security
> keytool -import -keystore cacerts -storepass changeit -file
the-root-ca.cer

did the job for me.

Mario
- Original Message - 
From: "Duma Rolando" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Tuesday, June 10, 2003 9:24 AM
Subject: Re: SSL client authentication with tomcat 4.1.24


> I'm still having trouble with my setup.
> These are my keystore entries:
>
> Tipo keystore: jks
> Provider keystore: SUN
>
> Il keystore contiene 3 entry
>
> scai, 10-giu-2003, keyEntry,
> Impronta digitale certificato (MD5):
> D5:FC:34:5E:12:03:CD:29:84:18:C9:4C:33:07:6C:5D
> _dgripbmo, 10-giu-2003, trustedCertEntry,
> Impronta digitale certificato (MD5):
> F5:ED:E9:B2:D9:71:F9:B6:6F:E9:39:27:4D:0A:A4:F7
> dumarolando, 10-giu-2003, trustedCertEntry,
> Impronta digitale certificato (MD5):
> E6:8D:22:29:5C:33:20:52:10:75:6A:8E:5D:03:4C:B3
>
> The second item is the CA certificate that signs my personal certificate,
> the last is my personal certificate present also in my IE Personal
> certificates tab.If nothing is missing and the browser still pops up an
> empty personal certificate list, maybe there is a problem with the
> cryptographic providers or with the encription algorithms used?
> As a note my personal certificate is stored on a Gemplus smartcard
connected
> with a USB reader all works fine if I connect to an Apache server with
> mod_ssl.
>
> - Original Message -----
> From: "Bill Barker" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Saturday, June 07, 2003 5:33 AM
> Subject: Re: SSL client authentication with tomcat 4.1.24
>
>
> > I believe that the Sun 1.4 JVM ships with the certs for Verisign and
> Thawte
> > (to verify this, search the java.sun.com site).  To allow OpenExchange
> > signed certs, you need to get the signing cert (not hard), and import it
> > into cacerts.
> >
> > "Mario Ivankovits" <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]
> > > For me, it looks like some certificates cant be read by tomcat/ssl.
> > >
> > > So, my Thawte FreeMail Member certificate works, but the certificate
> > > generated by SuSE OpenExchange wont work.
> > >
> > > I havent figured out what the difference could be for now.
> > >
> > > Mario
> > >
> > > - Original Message -
> > > From: "Duma Rolando" <[EMAIL PROTECTED]>
> > > To: "Tomcat Users List" <[EMAIL PROTECTED]>
> > > Sent: Friday, June 06, 2003 1:40 PM
> > > Subject: Re: SSL client authentication with tomcat 4.1.24
> > >
> > >
> > > > I have already imported my certificate.This is correctly showed if I
> > > connect
> > > > to an apache + mod-ssl server with "SSLVerifyClient require"
> directive,
> > so
> > > I
> > > > think the problem belongs to Tomcat SSL implementation or its
> > > configuration.
> > > > That's why I'm looking for people with positive experience on this
> kind
> > of
> > > > setup.
> > > >
> > > >
> > > > - Original Message -
> > > > From: "Bodycombe, Andrew" <[EMAIL PROTECTED]>
> > > > To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
> > > > Sent: Friday, June 06, 2003 12:58 PM
> > > > Subject: RE: SSL client authentication with tomcat 4.1.24
> > > >
> > > >
> > > > > You need to import your personal certificate into your browser.
> > > > >
> > > > > In IE:
> > > > > Select 'Internet Options' from the Tools Menu
> > > > > Select the Content tab
> > > > > Press the certificates button
> > > > >
> > > > > This takes you to the screen showing all your certificates
> > > > > Select the 'Personal' tab
> > > > > Press Import to import your certificate
> > > > >
> > > > > Andy
> > > > >
> > > > > -Original Message-
> > > > > From: Duma Rolando [mailto:[EMAIL PROTECTED]
> > > > > Sent: 06 June 2003 11:31
> > > > > To: Tomcat Mailing List
> > > > > Subject: SSL client authentication with tomcat 4.1.24
&

Re: SSL client authentication with tomcat 4.1.24

2003-06-10 Thread Duma Rolando 
It works, thanks a lot for your help.

- Original Message -
From: "Mario Ivankovits" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Tuesday, June 10, 2003 9:36 AM
Subject: Re: SSL client authentication with tomcat 4.1.24


> You have to import the root CA into the java cacerts keystore
>
> Assuming a windows-java installation in "C:\j2sdk" the location is:
> C:\j2sdk\jre\lib\security\cacerts
>
> using
>
> > cd C:\j2sdk\jre\lib\security
> > keytool -import -keystore cacerts -storepass changeit -file
> the-root-ca.cer
>
> did the job for me.
>
> Mario
> - Original Message -
> From: "Duma Rolando" <[EMAIL PROTECTED]>
> To: "Tomcat Users List" <[EMAIL PROTECTED]>
> Sent: Tuesday, June 10, 2003 9:24 AM
> Subject: Re: SSL client authentication with tomcat 4.1.24
>
>
> > I'm still having trouble with my setup.
> > These are my keystore entries:
> >
> > Tipo keystore: jks
> > Provider keystore: SUN
> >
> > Il keystore contiene 3 entry
> >
> > scai, 10-giu-2003, keyEntry,
> > Impronta digitale certificato (MD5):
> > D5:FC:34:5E:12:03:CD:29:84:18:C9:4C:33:07:6C:5D
> > _dgripbmo, 10-giu-2003, trustedCertEntry,
> > Impronta digitale certificato (MD5):
> > F5:ED:E9:B2:D9:71:F9:B6:6F:E9:39:27:4D:0A:A4:F7
> > dumarolando, 10-giu-2003, trustedCertEntry,
> > Impronta digitale certificato (MD5):
> > E6:8D:22:29:5C:33:20:52:10:75:6A:8E:5D:03:4C:B3
> >
> > The second item is the CA certificate that signs my personal
certificate,
> > the last is my personal certificate present also in my IE Personal
> > certificates tab.If nothing is missing and the browser still pops up an
> > empty personal certificate list, maybe there is a problem with the
> > cryptographic providers or with the encription algorithms used?
> > As a note my personal certificate is stored on a Gemplus smartcard
> connected
> > with a USB reader all works fine if I connect to an Apache server with
> > mod_ssl.
> >
> > - Original Message -
> > From: "Bill Barker" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Saturday, June 07, 2003 5:33 AM
> > Subject: Re: SSL client authentication with tomcat 4.1.24
> >
> >
> > > I believe that the Sun 1.4 JVM ships with the certs for Verisign and
> > Thawte
> > > (to verify this, search the java.sun.com site).  To allow OpenExchange
> > > signed certs, you need to get the signing cert (not hard), and import
it
> > > into cacerts.
> > >
> > > "Mario Ivankovits" <[EMAIL PROTECTED]> wrote in message
> > > news:[EMAIL PROTECTED]
> > > > For me, it looks like some certificates cant be read by tomcat/ssl.
> > > >
> > > > So, my Thawte FreeMail Member certificate works, but the certificate
> > > > generated by SuSE OpenExchange wont work.
> > > >
> > > > I havent figured out what the difference could be for now.
> > > >
> > > > Mario
> > > >
> > > > - Original Message -
> > > > From: "Duma Rolando" <[EMAIL PROTECTED]>
> > > > To: "Tomcat Users List" <[EMAIL PROTECTED]>
> > > > Sent: Friday, June 06, 2003 1:40 PM
> > > > Subject: Re: SSL client authentication with tomcat 4.1.24
> > > >
> > > >
> > > > > I have already imported my certificate.This is correctly showed if
I
> > > > connect
> > > > > to an apache + mod-ssl server with "SSLVerifyClient require"
> > directive,
> > > so
> > > > I
> > > > > think the problem belongs to Tomcat SSL implementation or its
> > > > configuration.
> > > > > That's why I'm looking for people with positive experience on this
> > kind
> > > of
> > > > > setup.
> > > > >
> > > > >
> > > > > - Original Message -
> > > > > From: "Bodycombe, Andrew" <[EMAIL PROTECTED]>
> > > > > To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
> > > > > Sent: Friday, June 06, 2003 12:58 PM
> > > > > Subject: RE: SSL client authentication with tomcat 4.1.24
> > > > >
> > > > >
> > > > > > You need to import your personal certificate into your browser.
> > > > > >
> > > > > > In IE:
> >

Re: Re[2]: Tomcat: SSL client authentication

2003-07-27 Thread Bill Barker 
>From your 1., your client cert is self-signed, not signed by your CA cert.
Since this amounts to telling the server "I am Dmitry, because I said so",
it's a security-risk to accept self-signed client certs, so most HTTPS
servers won't accept them.  (Of course, it is also the same security-risk to
accept self-signed server-certs.  However, there is a big difference between
clicking Ok in the browser's dialog box, and paging the webmaster at 3AM to
agree to accept it ;-).

The easiest thing would be to get a Thawte client-cert (since you don't have
to pay for it), and use that instead of your self-signed one.  For testing,
that is what I do (except that I use my Verisign cert, since my employer
pays for that one :).  At least with Sun's JSSE, Thawte's Root cert is
installed in cacerts by default.  Setting up your own CA is only needed if
you have to hand out your own client-certs when you move to production.

"Dmitry S.Rogulin" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
>
> But (as I pointed out in 3.,4. and 6) I have client cert and CA cert.
> The latter I imported to the cacert.
> I tried to do the same without Tomact but with very simple HTTP(s)
> server and got the same result. So I suggest that I did something
> wrong with creating/importing certs.
>
> But what's wrong?
>
> BB> You can't generally use a self-signed client cert with JSSE (you can
> BB> configure PureTLS to accept it, but another bug means that you'd have
to
> BB> wait for 4.1.26).  The work-around is way too much trouble for the
sysadmin,
> BB> and I don't feel like being an enabler for a true hideous design.  So,
> BB> you'll just have to read the JSSE docs for yourself ;-).
>
> BB> If you need to issue your own client-certs, I'd suggest setting up
your own
> BB> CA (with OpenSSL or otherwise), and import your CA's cert into
cacerts.  You
> BB> can then hand out client certs, and Tomcat will accept them.
>
> BB> "Dmitry S.Rogulin" wrote in message
> BB> news:[EMAIL PROTECTED]
> >> Hello all,
> >>
> >> Sorry for the previous e-mail. %)
> >>
> >> This theme was discussed about month ago. I tried to use what I've
> >> found but I'm still having a problem...
> >>
> >> I'm trying to do SSL client authentication with Tomcat 4.1.18
> BB> (clientAuth="true").
> >>
> >> 1. I've generated a client certificate using keytool:
> >>   keytool -genkey -alias tomcat-cl -keyalg RSA -keystore
client.keystore
> >>
> >> 2. Then I created Certificate Signing Request:
> >>   keytool -certreq -keyalg RSA -alias tomcat-cl -file
> BB> certreq.csr -keystore client.keystore
> >>
> >> 3. I sent it to CA and got a signed certificate and CA Certificate.
> >> 4. I imported them to the client keystore:
> >>   keytool -import -alias root -keystore client.keystore -file cacert
> >>   keytool -import -alias tomcat-cl -keystore client.keystore -file
> BB> usercert
> >>
> >> 5. I exported server certificate and imported it as a trusted to the
> >> trusted keystore:
> >>   keytool -import -trustcacerts -alias tomcat -file
server.cer -keystore
> BB> trust.keystore
> >>
> >> 6. I imported CA Certificate to "\jre\lib\security\cacerts" :
> >>   keytool -import -file cacert -keystore
> BB> %java_home%\jre\lib\security\cacerts -storepass changeit
> >>
> >>   I'm running Tomcat and test client on the same machine.
> >>   Server keystore: %USERHOME%\.keystore
> >>   Client keystore: %USERHOME%\client.keystore
> >>   Client trusted keystore: %USERHOME%\trust.keystore
> >>
> >>   Test Client:
> >> 
> >> import java.net.*;
> >> import java.io.*;
> >> import java.util.*;
> >> import java.security.*;
> >> import javax.net.ssl.*;
> >>
> >> public class SimpleClient {
> >>
> >> public static void main(String[] args) {
> >> System.setProperty("javax.net.ssl.trustStore",
> BB> System.getProperty("user.home")+File.separator +"trust.keystore");
> >>
> >> System.setProperty("javax.net.ssl.keyStore",
> BB> System.getProperty("user.home")+File.separator +"client.keystore");
> >> System.setProperty("javax.net.ssl.keyStorePassword",
> BB> "changeit");
> >>
> >>

Re: ssl client authentication drives me crazy

2003-10-14 Thread Kenneth Westelinck 
This article solved everything for me:
http://ws.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html
Follow it to the letter and you will get it to work. Trust me.


From: "Twan Munster" <[EMAIL PROTECTED]>
Reply-To: "Twan Munster" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Subject: ssl client authentication drives me crazy
Date: Tue, 14 Oct 2003 09:33:26 +0200
Hello,

With apache client authentication was so simple. Now my boss wants to use 
it for smartcard login and I have to use tomcat with cocoon. Thats why I 
need the client authentication with ssl to work. But I just can't fix it 
can anyone please help me. All examples wont work I always get errors like  
Unsupported SSL v2.0 ClientHello,  no cipher suites in common and handshake 
error

Can somebody please tell me how to use keytool. I've got the following 
certificates and I use them in apache like this:

1 server.crt = server certificate
2 ca.crt = chain certificate
3 ca-bundle.crt = lots of certificates for client authentication
4 server.key = i really don't know how to get this one in keytool
Thnx

Twan Munster
_
Chatten met je online vrienden via MSN Messenger. http://messenger.msn.be
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: ssl client authentication drives me crazy

2003-10-14 Thread Twan Munster 
Hi,

And also when i use that self signed certificates, it won't work alwasy the
same errors:
Unsupported SSL v2.0 ClientHello,  no cipher suites in common and handshake
error.
what can it be???something wrong configured? this is my server.xml


  

- Original Message - 
From: "Kenneth Westelinck" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, October 14, 2003 9:40 AM
Subject: Re: ssl client authentication drives me crazy


> This article solved everything for me:
> http://ws.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html
>
> Follow it to the letter and you will get it to work. Trust me.
>
>
> >From: "Twan Munster" <[EMAIL PROTECTED]>
> >Reply-To: "Twan Munster" <[EMAIL PROTECTED]>
> >To: "Tomcat Users List" <[EMAIL PROTECTED]>
> >Subject: ssl client authentication drives me crazy
> >Date: Tue, 14 Oct 2003 09:33:26 +0200
> >
> >Hello,
> >
> >With apache client authentication was so simple. Now my boss wants to use
> >it for smartcard login and I have to use tomcat with cocoon. Thats why I
> >need the client authentication with ssl to work. But I just can't fix it
> >can anyone please help me. All examples wont work I always get errors
like
> >Unsupported SSL v2.0 ClientHello,  no cipher suites in common and
handshake
> >error
> >
> >Can somebody please tell me how to use keytool. I've got the following
> >certificates and I use them in apache like this:
> >
> >1 server.crt = server certificate
> >2 ca.crt = chain certificate
> >3 ca-bundle.crt = lots of certificates for client authentication
> >4 server.key = i really don't know how to get this one in keytool
> >
> >Thnx
> >
> >Twan Munster
>
> _
> Chatten met je online vrienden via MSN Messenger. http://messenger.msn.be
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

SSL Client authentication: what goes in tomcat-users.xml?

2003-10-03 Thread Christopher Williams 
Following the advice from this link
http://books.mcgraw-hill.com/betabooks/aug02/taylor/0072225653_ch10.html

I tried to get SSL client authentication to work by setting the following
entry in tomcat-users.xml:


where x,y,z,etc. have real but unimportant values.  Evidently Tomcat somehow
matches the distinguished name from my certificate against an entry in the
users file, presumably to establish the user's role.  If it fails to make a
match, no authentication takes place which, I guess, is why I was able to
access protected pages but getUserPrincipal() was returning null.  However,
when I start Tomcat I get the error:
GlobalResourcesLifecycleListener: Exception creating UserDatabase MBeans for
UserDatabase
javax.management.MalformedObjectNameException: ObjectName: Invalid
(key,value) pair -> username=CN=x

So, what do I put in tomcat-users.xml to get client certificate
authentication to work?  Do I have to escape the '=' signs in some way?

TIA (as I really want to put this issue to bed),

Chris Williams.

P.S. If somebody tells me to "read the FAQ", please specify WHICH FAQ.  I've
read hundreds over the past few days trying to get to the bottom of
CLIENT-CERT auth.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RV: Tomcat SSL client authentication problem with Internet Explore

2003-08-21 Thread "Ratón Lacarcel, Antonio" 
Hi!

I have a problem with Tomcat 4.0.6 and SSL client authentication. When I use the 
Internet Explorer browser (v6.0) and I try to access the secure URL (for example 
https://whatever:8043), an empty list of certificates is presented. However, if I use 
Mozilla 1.4 or Netscape  4.76, the client certificates are presented and the secure 
pages are available.

The following environment is used:

 + jdk1.3.1_08
 + Microsoft Certificate Server
 + Tomcat 4.0.6

My server.xml file has the following element:

  



I have also created the keystores and the cacerts (for trusted certificates) files. 
Tomcat also finds the cacerts file because I've added the following parameters in the 
Tomcat enviroment variables (and because I've seen it in the debug console):
-Djavax.net.ssl.trustStore=c:\path_to_cacerts\cacerts
-Djavax.net.ssl.trustStorePassword=changeit

I have defined my own CA, my server-tomcat certificate signed by the CA and in order 
to create the client certificates, I've used the Certificate Server web tool, asking 
for a web certificate using each browser (Netscape-IE-Mozilla) and installing the 
client certificate from the browser.

Could you help me please?

If more info is needed, please tell it to me and I will try to explain the problem 
with higher detail.

Thanks in advance and sorry if my english is too simple...

Antonio Ratón

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003

---
Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene 
información de carácter confidencial exclusivamente dirigida a su destinatario o 
destinatarios. Queda prohibida su divulgación, copia o distribución a terceros sin la 
previa autorización escrita de Indra. En el caso de haber recibido este correo 
electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante 
reenvío a la dirección electrónica del remitente.

The information in this e-mail and in any attachments is confidential and solely for 
the attention and use of the named addressee(s). You are hereby notified that any 
dissemination, distribution or copy of this communication is prohibited without the 
prior written consent of Indra. If you have received this communication in error, 
please, notify the sender by reply e-mail

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat SSL client authentication problem with Internet Explore

2003-08-21 Thread Bill Barker 
I'm guessing that you didn't install your CA's cert in MSIE's root
certificates.  Since Tomcat will ask for certs signed by your CA, if MSIE
can't find any (that it can verify the chain with), you get an empty box.

"Ratón Lacarcel, Antonio" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Hi!

I have a problem with Tomcat 4.0.6 and SSL client authentication. When I use
the Internet Explorer browser (v6.0) and I try to access the secure URL (for
example https://whatever:8043), an empty list of certificates is presented.
However, if I use Mozilla 1.4 or Netscape  4.76, the client certificates are
presented and the secure pages are available.

The following environment is used:

 + jdk1.3.1_08
 + Microsoft Certificate Server
 + Tomcat 4.0.6

My server.xml file has the following element:

  



I have also created the keystores and the cacerts (for trusted certificates)
files. Tomcat also finds the cacerts file because I've added the following
parameters in the Tomcat enviroment variables (and because I've seen it in
the debug console):
-Djavax.net.ssl.trustStore=c:\path_to_cacerts\cacerts
-Djavax.net.ssl.trustStorePassword=changeit

I have defined my own CA, my server-tomcat certificate signed by the CA and
in order to create the client certificates, I've used the Certificate Server
web tool, asking for a web certificate using each browser
(Netscape-IE-Mozilla) and installing the client certificate from the
browser.

Could you help me please?

If more info is needed, please tell it to me and I will try to explain the
problem with higher detail.

Thanks in advance and sorry if my english is too simple...

Antonio Ratón

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003


---
Este correo electrónico y, en su caso, cualquier fichero anexo al mismo,
contiene información de carácter confidencial exclusivamente dirigida a su
destinatario o destinatarios. Queda prohibida su divulgación, copia o
distribución a terceros sin la previa autorización escrita de Indra. En el
caso de haber recibido este correo electrónico por error, se ruega notificar
inmediatamente esta circunstancia mediante reenvío a la dirección
electrónica del remitente.

The information in this e-mail and in any attachments is confidential and
solely for the attention and use of the named addressee(s). You are hereby
notified that any dissemination, distribution or copy of this communication
is prohibited without the prior written consent of Indra. If you have
received this communication in error, please, notify the sender by reply
e-mail




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Tomcat SSL client authentication problem with Internet Explore

2003-08-22 Thread "Ratón Lacarcel, Antonio" 
Hi again...

CA cert is installed in MSIE's root certificates (also in  Mozilla root certificates) 
but the box is still empty.

Any idea?

Thank you!!!

-Mensaje original-
De: Bill Barker [mailto:[EMAIL PROTECTED]
Enviado el: viernes, 22 de agosto de 2003 6:17
Para: [EMAIL PROTECTED]
Asunto: Re: Tomcat SSL client authentication problem with Internet
Explore


I'm guessing that you didn't install your CA's cert in MSIE's root
certificates.  Since Tomcat will ask for certs signed by your CA, if MSIE
can't find any (that it can verify the chain with), you get an empty box.

"Ratón Lacarcel, Antonio" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Hi!

I have a problem with Tomcat 4.0.6 and SSL client authentication. When I use
the Internet Explorer browser (v6.0) and I try to access the secure URL (for
example https://whatever:8043), an empty list of certificates is presented.
However, if I use Mozilla 1.4 or Netscape  4.76, the client certificates are
presented and the secure pages are available.

The following environment is used:

 + jdk1.3.1_08
 + Microsoft Certificate Server
 + Tomcat 4.0.6

My server.xml file has the following element:

  



I have also created the keystores and the cacerts (for trusted certificates)
files. Tomcat also finds the cacerts file because I've added the following
parameters in the Tomcat enviroment variables (and because I've seen it in
the debug console):
-Djavax.net.ssl.trustStore=c:\path_to_cacerts\cacerts
-Djavax.net.ssl.trustStorePassword=changeit

I have defined my own CA, my server-tomcat certificate signed by the CA and
in order to create the client certificates, I've used the Certificate Server
web tool, asking for a web certificate using each browser
(Netscape-IE-Mozilla) and installing the client certificate from the
browser.

Could you help me please?

If more info is needed, please tell it to me and I will try to explain the
problem with higher detail.

Thanks in advance and sorry if my english is too simple...

Antonio Ratón

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003


---
Este correo electrónico y, en su caso, cualquier fichero anexo al mismo,
contiene información de carácter confidencial exclusivamente dirigida a su
destinatario o destinatarios. Queda prohibida su divulgación, copia o
distribución a terceros sin la previa autorización escrita de Indra. En el
caso de haber recibido este correo electrónico por error, se ruega notificar
inmediatamente esta circunstancia mediante reenvío a la dirección
electrónica del remitente.

The information in this e-mail and in any attachments is confidential and
solely for the attention and use of the named addressee(s). You are hereby
notified that any dissemination, distribution or copy of this communication
is prohibited without the prior written consent of Indra. If you have
received this communication in error, please, notify the sender by reply
e-mail




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003

---
Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene 
información de carácter confidencial exclusivamente dirigida a su destinatario o 
destinatarios. Queda prohibida su divulgación, copia o distribución a terceros sin la 
previa autorización escrita de Indra. En el caso de haber recibido este correo 
electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante 
reenvío a la dirección electrónica del remitente.

The information in this e-mail and in any attachments is confidential and solely for 
the attention and use of the named addressee(s). You are hereby notified that any 
dissemination, distribution or copy of this communication is prohibited without the 
prior written consent of Indra. If you have received this communication in error, 
please, notify the sender by reply e-mail

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SSL Client authentication: what goes in tomcat-users.xml?

2003-10-03 Thread Bill Barker 

"Christopher Williams" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Following the advice from this link
> http://books.mcgraw-hill.com/betabooks/aug02/taylor/0072225653_ch10.html
>
> I tried to get SSL client authentication to work by setting the following
> entry in tomcat-users.xml:
> 
>
> where x,y,z,etc. have real but unimportant values.  Evidently Tomcat
somehow
> matches the distinguished name from my certificate against an entry in the
> users file, presumably to establish the user's role.  If it fails to make
a
> match, no authentication takes place which, I guess, is why I was able to
> access protected pages but getUserPrincipal() was returning null.
However,
> when I start Tomcat I get the error:
> GlobalResourcesLifecycleListener: Exception creating UserDatabase MBeans
for
> UserDatabase
> javax.management.MalformedObjectNameException: ObjectName: Invalid
> (key,value) pair -> username=CN=x
>

The correct value to use is the string-value of the Certificate Subject.
However, only the MemoryRealm (of the standard Tomcat Realms) works with
CLIENT-CERT authentication.  So you have to disable the default
DatasourceRealm and enable the MemoryRealm.

You also have to (at least in 4.1.27 and lower) disable the Datasource under
the GlobalResources.  This is because it will attempt to write back the
tomcat-users.xml file without escaping the attribute values (resulting in
invalid XML).  Then (after fixing the damage that Tomcat has already done to
your file :), what you have should work.

> So, what do I put in tomcat-users.xml to get client certificate
> authentication to work?  Do I have to escape the '=' signs in some way?
>

The main thing that you have to escape is quote ('\"') characters.  For
example, Verisign-issued certs typically have an entry like O="Verisign,
Inc.".  You need to render this as O="Verisign, Inc.".


> TIA (as I really want to put this issue to bed),
>
> Chris Williams.
>
> P.S. If somebody tells me to "read the FAQ", please specify WHICH FAQ.
I've
> read hundreds over the past few days trying to get to the bottom of
> CLIENT-CERT auth.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

SSL-CLIENT authentication causes getUserPrincipal() to return null. Any idea why?

2003-08-21 Thread Christopher Williams 
My setup:
JWSDP 1.2
Windows XP Pro
JDK 1.4.2

I want to know who's accessing a certain web page after they've
authenticated to Tomcat.  No problem if I use BASIC authentication.
However, when I use SSL-CLIENT authentication, calling getUserPrincipal() on
the incoming Request object returns null, which is no use at all.

Question: is this intended behaviour (it's pretty dumb if it is)?  If not,
how do I get information about the authenticated user?

TIA,

Chris Williams.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]